ObserveIT Configuration Guide
Contents
1. Back to Server Policy Templates Linked Servers Cancel Save Name New Server Policy Template System Policy Enable recording d Enable Identity Theft Detection Enable API Show tray icon 4 Restrictto RDP Enable hotkeys Enable key logging Le Optimize screen capture data size Enable recording notification All activity on this machine is record Default Set image format Grayscale Server Compression v Set session timeout minutes 15 v Set keyboard frequency Low Y Set continuous recording seconds OFF k 3 Click Save to save the changes Setting changes will take effect on new user sessions after the current sessions are closed Enabling Key Logging Note This feature is supported on Windows based server policies ObservelT s key logger enables the tracking and recording of all on screen user activity on monitored servers For further details see ObservelT Key Logging in the User Guide To use the ObservelT text logger on monitored servers the key logging feature must be enabled By default key logging is disabled You can configure key logging manually per server Agent from the Configuration gt Servers page or by using Server Group Policies to configure many servers Agents simultaneously To configure key logging using Server Policies 1 In the Configuration gt Server Policies page click Create or select a server policy template Windows based or Unix based2. Set image format Grayscale Server Compression Set session timeout minutes 15 v Set keyboard frequency Low v Set continuous recording seconds OFF v 3 Click Save to save the changes All activity on this machine is recordi Setting changes will take effect on new user sessions after the current sessions are closed Enabling Hotkeys Note This feature is supported only on Windows based server policies ObservelT allows you to access the following features by using the F11 and F12 hotkeys e F11 enables you to create sticky notes which can be attached to resources and applications on the monitored servers For further details see Sticky Notes e F12 enables the use of context sensitive searches through the database For further details see Context Sensitive Search By default these hotkeys are disabled You can configure the hotkeys status manually per server Agent from the Configuration gt Servers page or by using Server Group Policies to configure many servers Agents simultaneously To enable the use of hotkeys using Server Policies 1 Inthe Configuration gt Server Policies page click Create or select a server policy template default Windows based policy Copyright 2015 ObservelT All rights reserved 79 ObservelT Configuration Guide 2 Inthe System Policy section of the Server Policy Template page select the Enable hotkeys check box Server Policy Template
3. m Type the name of a program folder document or Cancel Browse Copyright 2015 ObservelT All rights reserved 52 ObservelT Configuration Guide Although this may seem like a security flaw ObservelIT is not designed to work inline with the Windows operating system It will never prevent a user from logging on to the system even if they cannot pass the Identification prompt All the user s actions are still recorded The only effect is that the user is not identified for the specific session Only the Windows log on name is displayed in the Server and User Diaries similar to when Identification Services is not enabled Session Duration Login User Server Client Slides Video 6 20 2010 El 12 31 PM 12 32PM Administrator n a WIN2003 OITSRV WIN2003 DC 40 Print this information Print detailed information Program Manager fa Windows Task Manager 7 a Untitled Notepad 2 ka Create New Task 4 fa My Documents 3 ks C Documents and Settings AdministratorMy Documents Wisual Studio 2005 2 fa Registry Editor a 12 27 PM 12 31PM Administrator user1 WIN2003 OITSRV local 27 If you need to entirely lock the monitored systems and prevent users from being able to pass the ObservelT logon screen or identification prompt you will need to modify the systems security settings and prevent users from being able to run and use the Task Manager This can be done either at the local computer level by using the Local Gro
4. Generate an alert every first time the URL prefix contains AdminUsersView Copyright 2015 ObservelT All rights reserved User Activity 1 User logs in to Facebook enters the URL www facebook com login 2 User goes to a friend s page enters the URL www facebook com friend 3 User logs in to Twitter www twitter c om login 1 User opens the browser http 111 222 3 33 444 4884 Obs ervelT AdminU sersView aspx GroupIndex 3 amp TabIndex 1 amp la ng en 2 User opens a new browser http 111 222 3 33 444 4884 Obs ervelT AdminU sersView aspx GroupIndex 2 amp TabIndex 1 amp la ng en Alert Generated NO alert is generated because the Site rule refers only to the domain part of the URL www facebook co m NO alert is generated because this is not a new occurrence of the URL prefix rule 151 ObservelT Configuration Guide 3 User goes to YES http 111 222 3 Matches the text 33 555 5994 Obs URL prefix ervelT AdminU ObservelT Admi sersView users nUsersView but aspx GroupInd the site is different ex 2 amp TabIndex than the first site 1 amp lang en opened in the session Trigger an alert Visited URL Any Generate an alert 1 User logs in every time ina part of URL every time any part to LinkedIn session that a user contains linkedIn of URL contains enters the URL accesses Opens a linkedIn
5. 1 2 94 In the Configuration gt Server Policies page click Create or select a server policy template Windows or Unix based policy In the Identification Policy section of the Server Policy Template page select the Enforce Login check box By default this check box is selected Copyright 2015 ObservelT All rights reserved 3 4 5 Configuring Server Policy Settings Note that selecting this check box when no Forced Identification users have been defined will have no effect M Identification Policy Enforce Login gt Secondary authentication message All activity on this machine is recorded and Default Please select All Users or enter Domain Name Login i administrator or OBSERVEIT danielp to enforce identification for that user You can add multiple users to this list AIl Users Domain for all Login User OBSERVEIT SYS asd Add Domain User Created Date OBSERVEIT SYS asd 1 14 2015 Remove Save last used login If required you can edit the text of the default message that will be displayed to the user when requested to provide secondary authentication For further details see Enabling Recording Notification Select All Users to enforce a secondary login on all the users who are logged in to the monitored servers Or Select User to enforce a secondary login on a specific user enter the required Domain name or select it from the list a
6. 1602 1603 1604 1605 1606 1607 1608 1609 1610 1611 Agent was unregistered 172 Event Name Agent registration was successful Agent installation failed due to incorrect security password Agent installation failed Agent installation with password was successful Agent installation without a password was successful Uninstallation of Agent failed due to incorrect security password Uninstallation of Agent failed Uninstallation of Agent with password was successful Uninstallation of Agent without a password was successful Category Installation Installation Installation Installation Installation Installation Installation Installation Installation Installation Severity Medium Low Low Low Medium Low Low Low Medium High The Agent was successfully registered The Agent installation failed due to incorrect security password Check your password and try to install again The Agent installation failed without a security password or for unknown reasons Go to the setup log and look for possible errors The Agent was successfully installed with a security password The Agent was successfully installed without a security password Uninstallation of Agent failed due to an incorrect security password Check your password and try to uninstall again and if that fails contact technical support Uninstallation of Agent
7. 500 MB MB To configure an offload data recording policy for recorded system function data select the check box and specify a threshold in MB at which recorded system function data will be offloaded The default is 100 MB To configure an offload data recording policy for all recorded data select the check box and specify a threshold in MB at which all recorded data will be offloaded The default is 500 MB Note These options are enabled by default Click Save to save the changes Setting changes will take effect on new user sessions after the current sessions are closed Copyright 2015 ObservelT All rights reserved Implementing Security Implementing Security ObservelT is designed to be deployed within a secure network and accessed by administrators and as such is secure Out of the box deployment is designed to be simple however security features such as digital signing and encryption can be optionally configured You can configure security in the Configuration gt Security page Server Diary User Diary DBA Activity Activity Alerts Configuration Search Reports Threat Detection Security Session Privacy Admin Dashboard Console Users Application Servers Identification Data Integrity Servers When Session Data Integrity is enabled a CS warning icon will appear next to the Slides number in the Server User Diary Server Groups indicating the session data was tampered with Server Policies
8. 6 42 As an example consider a scenario in which the ObserveIT Web Console Server is installed in a DMZ or perimeter network and is not a member of any domain and it will be used to monitor a Terminal Server farm consisting of 50 servers These servers will be used by users that are members of two separate domains PROD and DEV In this example all the users that log on to these servers with either the PROD Administrator or the DEV Administrator accounts will be identified In this scenario you can either add separately both users PROD Administrator and DEV Administrator or just add one user that includes both these options that is Administrator If a third domain ACCTG is later added to the scenario and the ACCTG Administrator must be identified you will need to add a third user If you specify Administrator you will not need to make any modifications However you cannot use Administrator if the ACCTG Administrator is NOT required to be identified since all users called Administrator from all domains would be forced to identify Important When you configure a Forced Identification user that user account cannot be used in the secondary ObserveIT Windows logon screen Unix prompt This means that if a Forced Identification user such as Administrator is created and a user logs on to a server with the PROD Administrator account they will be required to log on to the secondary ObservelT
9. Enable Identity Theft Detection Enable API s Show tray icon R Restrict to RDP Enable hotkeys Enable key logging Optimize screen capture data size Enable recording notification All activity on this machine is record Default Set image format Grayscale Server Compression v Set session timeout minutes 15 v Set keyboard frequency Low v Set continuous recording seconds OFF v 3 Click Save to save the changes Setting changes will take effect on new user sessions after the current sessions are closed Showing Hiding the Agent Tray Icon Note This feature is supported only on Windows based server policies When you install the ObserveIT Agent an icon is automatically placed in the system tray notification area next to the clock SS E 00 48 This tray icon shows the recording mode at the start of every session By default the Agent tray icon is visible If the icon is grayed out then there is a problem with the recording ObservelT lets you configure whether to keep the icon visible or hide it You can configure the visibility of the tray icon manually per server Agent from the Configuration gt Servers page or by using Server Group Policies to configure many servers Agents simultaneously To configure the ObservelT Agent icon status using Server Policies 1 In the Configuration gt Server Policies page click Create or select a server policy template default Windows based
10. would generate an alert on the URL http 111 222 333 444 4 884 ObservelT AdminU sersView aspx GroupIn dex 3 amp TabIndex 1 amp la ng en Visited URL Any part of URL contains linkedIn would generate an alert on the URL https www linkedin c om profile view id 888 88 amp trk nav_responsive _tab_profile The following scenarios provide some examples of how and when alerts are triggered using the Visited URL group of conditions 150 Copyright 2015 ObservelT All rights reserved Activity Alerts Note For purposes of these scenarios the scope of the alert rule is defined per session which means that an alert will be generated only on the first occurrence of every unique match of the rule in each session You can also you can define alerts to be generated once per application process or once per a specified number of minutes Full details about defining the scope of rules are provided in Defining the Did What Conditions Alert Rule Trigger an alert the first time in a session that a user browses social media sites during working hours Trigger an alert every first time in a session a user enters the User Administration area of the ObservelIT Web Console Condition Example Visited URL Site contains facebook twitter Visited URL URL prefix contains AdminUsersView Description Generate an alert every time the URL domain contains facebook or twitter
11. 5 In Report Name type or modify the report name as required 6 In Report Description type a description of the report if needed 7 Click Save and Finish to complete the process 276 Copyright 2015 ObservelT All rights reserved Deleting Reports Custom reports can be deleted when the report is no longer needed Managing Reports Note A custom report cannot be restored after it is deleted built in reports cannot be deleted Remember you can always edit existing reports so if you made a mistake when creating a custom report you can always go back and edit it at any time No recorded data is lost when a report is deleted To delete a custom report 1 Inthe Reports tab click the Delete link next the report that you want to delete Reports Ez Report List Latest Activities Reports Installed Software Scheduled Reports for Console User a Servers Software Create New Custom Report Install Uninstall Sticky Notes Name Description Modified Custom Reports Latest Sessions All Remote Desktop Lists all Remote Desktop MF W8SQ8 1 Admini Sessions in the past month Sessions in the past month Quick Help SAMPLE Admin related Administrative related tasks tasks Past Week performed on monitored Installation Guide servers Usage Guide SAMPLE App usage All apps used on monitored Configuration Guide grouped by ServerName servers Grouped by Server Past Week Name SAMPLE Apps usage per Repor
12. An ObservelT Registry key was changed Registry keys may have been deleted and or values changed This might affect Agent functionality To resolve this look at the AgentRegistryKeys database table and restore the Registry accordingly The ObservelT Agent Service has reported that the Agent Registry keys configuration files have been restored The ObservelT Agent Service has reported that installation files were restored after tampering The ObservelT Agent Service has reported that installation files were tampered with Files may have been renamed and or contents changed Check the problem and reinstall the Agent or replace the tampered file with the file version that was installed previously 169 ObservelT Configuration Guide 1213 Unix Agent interception Tampering High was tampered with 1218 Agent offline data files Tampering High were tampered with 1219 Agent Service is not High responding 1220 Process was killed and Tampering High automatically restarted 1221 Agent machine and Communicati Low service are accessible on 1223 Agent computer is Communicati High inaccessible on 1224 Agent Service was killed Functionality Functionality High The Unix Agent interception setting was tampered with so that new sessions will not be recorded Perhaps a user did this to prevent his activities from being recorded To resolve this enable interception using the oi
13. New Screen Capture Storage Location p Local or network path CAFS2 Q13W8S8 1 a Generate a system event when the database size contains more than 80 out of the allowed 100 GB Enter a new file system path and click Verify Copyright 2015 ObservelT All rights reserved 231 ObservelT Configuration Guide 3 4 The system checks that the new path exists has not already been used and is not a subfolder of an already used path The system also checks that the user account used by the ObservelT application pool on the Web console has read and write permissions for the specified path Click OK Note If required you can also configure a threshold setting for the new path that will generate a system event Before the changes and data are written to the new path a confirmation dialog box opens You are about to change the screen capture data storage location from lt old path gt to lt new path gt This action cannot be reversed However as long as the path to the previous location is still accessible by the system data in it can be replayed After you click Yes all new session screen capture data will be stored in the new path Are you sure that you want to proceed Click Yes to proceed Once committed the active path will change to the new path The old path will be displayed in the Additional Screen Capture Data Storage section with the status Available Important The folder structure is au
14. Unix Servers Note The Tampered With 4 icon stays on the Admin Dashboard for up to one week after the tampering event occurred as a reminder that tampering had occurred on this Agent group within the last week The row remains shaded orange as well to easily identify which Agent group has been tampered with Copyright 2015 ObservelT All rights reserved 11 ObservelT Configuration Guide An additional way to handle ObservelT health monitoring is by receiving digest summaries of system events via email notifications To joe itsecurity com z a Lo Send Bcc Subject System Event Digest 3793 events during the past 20 minutes System Event Summary High severity Events 1296 Unrecorded Agent sessions 767 Agent service stopped 70 Agent service was terminated 9 Agent installation failed Medium severity Events 530 Agent registration was successful System Event Details 10 of 3793 shown here view all High severity Events 10 of 2192 shown here Agent service stopped Event ID 1 Received Time Monday 10 6 2014 3 22 PM Severity High Event Code 1202 Event Name Agent Service has stopped Event Description The ObservelT Agent Service has reported that it has stopped Server OIT LILI Component Agent Source Agent Remediation New Status View Details For further details about Agent statuses system events and event email notifications see Assessing Agent Statuses and Details Inves
15. 0 License SMTP Settings Expired Messages 0 2 Click Create 3 4 5 6 194 The message details page opens Message Backo Messages Message Details _________________________ j Subject arning message Message body Please enter the text that will be displayed on the server s Security regulations require that you acknowledge that you are aware that all your actions on this server are being recorded W Mandatory Reply IZ Lock User s Desktop Advanced Cancel Save In the Message Details section enter a message subject and the message text that you want the user to read To enforce the user to send a text reply to the message select the Mandatory Reply check box To configure the message to lock the user s desktop if required select the Lock User s Desktop check box Click Save to save the message configuration After a message is saved it appears on the user s desktop immediately after they log in to the monitored server s Users are required to acknowledge the message s they receive This acknowledgment is recorded in the ObserveIT Console and can be used as proof that the user s have indeed been warned about a specific task and that they understood and accepted the message When Mandatory Reply is configured for messages users must provide textual feedback such as information about the reason for their logging on the server s
16. 2 52 PM Category Functionality Tampering Functionality Functionality Communication Functionality Functionality Tampering Functionality Functionality Tampering Functionality Communication Functionality Functionality Functionality Data Loss Functionality Tampering t Name 1 7 2015 Application Server is running Agent offline data files were tampered with Application Server is not working properly Agent service has started Agent machine and service are accessible Agent service was terminated Agent service not responding Agent offline data files were tampered with Application Server is running Application Server is not working properly Process was killed and automatically restarted Agent service has started Agent machine and service are accessible Agent service was terminated Agent service not responding Application Server is running Offline data loss threshold exceeded Application Server is not working properly Process was killed and automatically restarted For each event the System Events list displays the following Next gt Last gt gt Server W2K8 S8 QA11 W2K8 S8 QA11 W2K8 S8 QA11 W2K8 S8 Q0A11 c59 32 3 W2K8 S8 0A11 c59 32 3 W2K8 S8 QA11 W2K8 S8 0A11 W2K8 S8 0A11 W2K8 S8 QA11 W2K8 S8 0A11 c59 32 3 W2K8 S8 0A11 c59 32 3 W2K8 S8 QA11 W2K8 S8 0A11 W2K8 S8 0A11 W2K8 S8 0A11 Colored severity bar indicates the event operational status severity level Red High Error Orange
17. 4 46PM 1221 Communication Agent machine and service are accessible c59 32 3 Note If the Agent group member has been tampered within the last week or has incurred data loss in the Servers list you can click the Tampered With A icon or the Data Loss amp icon to open the System Events list filtered to display the last week s tampered with or data loss events related to this Agent group member 20 Copyright 2015 ObservelT All rights reserved Admin Dashboard 2 You can expand an event to view more details E f 4 45PM 1301 Functionality Application Server is not working properly W2K8 58 0A11 Severity High Component Application Server Source Application Server Status Details Not Running Event Description The ObservelT Application Server is not working properly Email Sent No Additional Info URL ofthe Application Server or Web Console Comment Application server is unreachable Remediation Status New Comment Add Comment For further details about the information displayed in the System Events list and the event types possible causes and solutions see Viewing System Events and Event Types Adding Agent Groups Administrators can add more Agent groups to the Admin Dashboard To add Agent groups to the Admin Dashboard 1 Inthe Agents portal of the Admin Dashboard click the Add more groups link this is available when there is only one row in the Agents list Otherwise you can navigate directly to Config
18. All rights reserved Implementing Security Enabling Session Replay Privacy ObservelT is designed to allow Console Users proper roles and permissions to replay any session for which they have permissions However some customers may require additional replay security measures to protect the privacy of the recorded sessions The Session Replay Privacy option allows the customer to assign a master password that must be entered each time that a Console User wants to replay sessions After Session Replay Privacy Protection is enabled each time a Console User needs to replay a recorded session a lock icon appears next to the replay button When the replay button is clicked a message is displayed prompting the user to enter the Replay Privacy Protection password Search Threat Detection Server Diary User Diary DBA Activity Activity Alerts Configuration Reports Activities Activities Activity View Applications inventory Server ObservelT Session Replay Privacy Goo E LSE Biatistics Print this information giri 10 2 0 52 4884 ObservelT SlideViewer aspx SessionID fend Date E Search Jan v 13 v 2015 E Session Replay Privacy Protection Messages Latest Sessions f Session Replay Privacy is currently enabled for recorded session video replay In order to replay user sessions please enter the W2K8 S8 QA1 Admini J Session Replay Password Slides Video
19. Click OK Before the changes and data are written to the new path a confirmation dialog box opens You are about to change the screen capture data storage location from lt old file system path gt to lt new file system path gt This action cannot be reversed However as long as the path to the previous location is still accessible by the system data in it can be replayed After you click Yes all new session screen capture data will be stored in the new path Are you sure that you want to proceed Click Yes to proceed Once committed the active local or network path to the archive location will change to the new path and all session screen captures will immediately be archived there The old path will be displayed in the Historical Data Storage Locations section Note You can define multiple archive file system locations for the currently active archive database Viewing Previous Archive Data Storage Locations In the Historical Data Storage Locations section you can see detailed information about 248 Archive databases that were previously used by the system for archiving data Local network paths which were previously used by the system for archiving screen capture data Important When using the file system the archived screen captures are stored under the current archive database with the related metadata under the currently active archive path This enables administrators to easily correlate the archive file system d
20. Creating and Managing Local Console Users This topic describes how to create a new console user edit the details of a console user delete a console user and create a report about a console user To create a new Console User 1 Inthe Configuration gt Console Users tab click the Create User button 2 3 4 5 6 To configure an email address to enable the Console User to receive email notifications 32 The Add Console User dialog box opens Admin Dashboard Console Users Identification Servers Server Groups Server Policies Security Alerts System Events Identity Theft Detection Messages Ticket Integration License SMTP Settings Monitor Log LDAP Settings Storage Archive Saved Sessions Audit System Log Latest Sessions Q3 WIN8 SQL Admini Console Users Console Users AGAD Groun Results 1 1 of 1 Name Admin Reports Reports Configuration http 10 2 0 95 0bservelT AdminConsolUserDetailsView aspx lang amp Add Console User User Details User Name michelle Authentication ObservelT Authentication v Password em s SsSSSCi S Confirm Password e Role Admin v Allow access to All Servers group Email Enter the required name for the new Console User Enter a local ObservelT user or select an Active Directory domain for authentication Enter a password and confirm the password From the Role drop down list select th
21. Domain User Created Date administrator 12 29 2014 Remove Save last used login 4 Click Remove 5 Click Save to save the server configuration policy 44 Copyright 2015 ObservelT All rights reserved Identification Services Configuring Active Directory Identification Targets Active Directory Identification Targets are the domains against which Forced Identification users are authenticated When you configure the targets correctly they appear in the ObservelT Identification Services page To allow ObservelT to use Windows Authentication against an Active Directory target you will need to add an LDAP target If the server on which the ObserveIT Application server is installed is a member of an Active Directory domain the Active Directory domain will be automatically added to the list of LDAP targets and will be configured as an Automatic type LDAP target This will enable the usage of Active Directory users and groups from all domains in all the Active Directory forests that are connected the current forest Note ObservelT easily integrates with your Active Directory forest enabling you to use user and group objects from any domain in the forest in which the ObservelT server side components are installed and in which the ObservelT Agents are deployed if different Cross forest trusts can also be used Although using groups from Active directory domains is possible with any group scope domain local
22. Editing Messages You can edit messages in order to make changes to the title text or other settings To edit messages e Inthe Configuration gt Messages page click the Edit link next to the message you want to edit Threat Detection DBA Activity Activity Alerts Configuration Search Reports Server Diary User Diary Messages Views Admin Dashboard Console Users Create a new message identification Servers Server Groups Manage Messages Server Policies Sewer JC co J cear Security Alerts Status Al System Events 1 10f1 Identity Theft Detection f i Message Name Modified Date Posted By Views Active Messages Messages W qm q 57 i Edit t Ticket Integration Warning message 1 12 2015 6 57 16 PM Admin 0 dit Disable Delete License z Active Messages 1 Click to edit this message SMTP Settings Disabled Messages 0 Monitor Log LDAP Settings Expired Messages 0 The message s details page opens where you can edit the message Viewing Messages You can view all instances where a message was displayed on servers This information can be used to track user sessions and their interaction with the desktop Furthermore having proof that a user was indeed presented with the message and acknowledged it can be useful for auditing and security purposes You can view messages in several places To view messages 1 In the Messages list in the Configuration g
23. Options for Defining the Who Conditions Activity Alerts Field Option Usage Examples Login account domain name Secondary user domain name Login Secondary user domain name Copyright 2015 ObservelT All rights reserved iS is not contains does not contain starts with does not start with ends with does not end with is member of group undefined Use this option to specify the name and optionally the domain of regular users who are logged in Examples e If the required user belongs to a specific domain for example observeit you can define the condition Login account domain name is observeit com john observeit com root If you do not want to specify a domain for the user you can define the condition Login account domain name is john root any user Use this option to specify the name and optionally the domain of users for whom secondary authentication is required For example Secondary user domain name is observeit sys james Use this option if the required user could be a regular or secondary authentication user For example Login Secondary user domain name contains observeit com john 143 ObservelT Configuration Guide Defining the Did What Conditions In the Did What section of the Create Alert Rule page you can define conditions of suspicious user activities which would trigger an alert based on recorded Observel
24. Rundailyat 08 00 00 Audit Run every 1 Hours System Log 3 Select the Enable export to ArcSight format check box Note Integration is currently provided by default with the HP ArcSight SIEM product 216 Copyright 2015 ObservelT All rights reserved Monitoring Log Files 4 Inthe Log data section select at least one of the following data types for monitoring e Windows and Unix Activity selected by default e Activity Alerts selected by default e DBA Activity e System Events All selected log type data will be stored in one file by default OIT CEF 1log 5 Inthe Log file properties section 1 Inthe Folder location field accept the default log file location C Program Files x86 ObservelIT NotificationService LogFiles ArcSight or specify a new path to the monitor log files When changing the default log folder location new session data will be stored in the new path existing data will remain in the old location Note The user account used by the ObservelIT Notification Service must have read and write permissions for the path If the user account does not have sufficient permissions to create the directory or write to the log file a system event is generated In addition the log file size is limited to a predefined size if the file size exceeds the maximum defined size a system event will be generated For further details see System Events 2 Inthe File name field use the default log fil
25. SQL Server Database Server OBS SQLDEWOIT_DEV_569 Database Name ObservelT_Archive_2 Database path C Program Files Microsoft SQL ServerWMSSQL 11 MSSQLIDATANObservelT_Arc Date range ofincluded sessions N A Size of archive database 7 18 GB 0 Slides Low DB space notification When reaches 2 of the allowed 123 00 GB Add New Archive Database Active Screen Capture Archive Screen capture data stored in File System File system location C fs 1 ObservelT_Archive_2 OIT BORIS Date range of included sessions NW Current screen capture storage 0 00 GB 0 screens Low disk space notification Not Configured New Screen Capture Archive Location Historical Data Storage Locations 1 10f1 1 DB and Related Screen Data Locations First Session Date Last Session Date Sessions DBSize GB Freeze Date ObservelT_Archive_1 10 27 2013 02 03 2014 128 38 01 25 2014 b Screen Capture Location First Session Date Last Session Date Disk Space GB Screens C fs1 Observelt_Archive_1 10 27 2013 12 24 2013 112 MB 4 200 C fs2 Observelt_Archive_1 42 24 2013 02 03 2014 103 MB 5 105 Note In the Diary tab you can retrieve specific sessions from the archive in order to replay them Copyright 2015 ObservelT All rights reserved 249 ObservelT Configuration Guide Viewing the Archive Log You can view archive schedule management actions in the archive log To view the archive log 1 Navigate to Configuration
26. Search Reports Status Active Inactive Severity JO Medium v ty Any user ty Any application ty Any computer 18 00 Sunday Friday Saturday tly Any client Important Before you begin make sure that you have read the Rules for Configuring Alert Conditions described in Understanding the Logic for Triggering Alerts 2 To define or edit the time specific date range of dates time of day or days of the week that the action occurred select the relevant options as described in the following table 158 Copyright 2015 ObservelT All rights reserved Activity Alerts Note If the Agent and the server are in different time zones date and time alerts are based on Agent local time This means that non working hours in the Agent location might be regular working hours in the server s local time zone Options for Defining the When Conditions pxample Values Day of week e is Saturday Sunday e isnot Time of day is before 10 59am between 08 00am and 06 00pm is after is between is not between Specific date is 20 4 2014 22 4 2014 between 25 4 2014 is not and 27 4 2014 is before is after is between is not between Specific date and time is between 25 4 2014 09 00pm and 27 4 2014 is not 06 00pm is before is after is between is not between Copyright 2015 ObservelT All rights reserved 159 ObservelT Configuration Guide Defining the From Which Client Conditions In the From Wh
27. System Events Identity Theft Detection Close Add Messages Ticket Integration License SMTP Settings Monitor Log LDAP Settings COOCOO Ome ra Rie 2 Enter the Group Name 3 In Domain Name enter the required domain for the console group or select it from the drop down list which displays all the domains in the Active Directory forest in which the ObservelT Application Server is a member 4 If required to change the permissions assigned to the group from the Role list select Admin View Only Admin or Config Admin 5 Click Check Name to verify the group name If the group name is verified a confirmation message is displayed 6 Click Add to add the console group Assigning Console User Permissions to View Recordings Console Users can be granted permissions to view recorded sessions on one or more servers on which the ObservelT Agent is installed on server groups and for specific users These permissions are given to users based on their defined role To grant permissions for Console Users 1 Inthe Configuration gt Console Users tab click the Permissions link next to the Console User name whose permissions you want to modify The following dialog box opens 34 Copyright 2015 ObservelT All rights reserved Console Users By default new Console Users have permissions to the All Servers group which means that they can access all the deployed ObservelT Servers If required you can d
28. The following topics in this section describe in detail how to archive ObservelIT information including 236 Scheduling an Archive Job Managing the Archive Storage Viewing the Archive Log Copyright 2015 ObservelT All rights reserved Archiving Information Scheduling an Archive Job Archiving jobs can be launched manually or can be scheduled for automatic periodic archive rotation By scheduling archiving you can select a date range for the archived data or an older than parameter and you can control which sessions will be archived based on specific server or user names or on specific server groups During archiving the ObservelT database file system storage is locked therefore it is recommended that you schedule the archive to be performed when activity on the server is minimal for example weekends nights It is also recommended to schedule the archive so that each archive does not contain too much data that is it is better to schedule a periodic archive than to archive a whole year at once Scheduling an archive job is done in the Schedule Archive page of the Web Console The following steps are required to schedule a job for archiving 1 Enable the schedule status 2 Specify a date range for the archived data 3 Select the archive job frequency 4 Specify the type of data that will be processed by the archive job 5 Select the action to be performed on the job schedule Note You can select to arc
29. The mini Admin Dashboard provides immediate indication of Agent health When you notice errors or problems you can click on the mini Admin Dashboard to jump right away to the full Admin Dashboard to examine the details To assess restore Agent health using the Admin Dashboard 1 2 3 4 10 Go to the Agents portal of the Admin Dashboard to view the Agent group with the error status and the number of Agents with errors observe it i Admin Dashboard 8 6 2A Server Diary User Diary DBA Activity Activity Alerts Reports Search Threat Detection Admin Dashboard i r a aa a ra Admin Dashboard Recent statistics based on Past 7 days Updated 12 30 2014 12 35 PM amp Auto refresh il ON Console Users identification Servers 8 a D K Server Groups Latest version 7 Recently installed W li Server Policies E Earlier versions h A 1 Recently uninstalled Notification Health Alert Rule Service mice Monitoring Engine Security Alerts System Events Identity Theft Detection Not Running tp Group Agents Status Error Messages WIN DBDG05520RV Ticket Integration All Servers A Q 62 il f 6 License Unable to Save Data tp Active Servers A J 56 in ff 4 SMTP Settings W2K8 S8 QA21 Monitor Log Unix Servers 25 a LDAP Settings p A E Windows Servers th 24 cS Storage W2K8 S8 QA11 Archive Windows WorkStations 13 kl Hover the mouse over the colored status bar to vie
30. To view system events 1 Navigate to Configuration gt System Events Alternatively in the Configuration gt Servers page click the System Events link or the Status link to open the System Events page filtered to display all the events related to the Agent group The System Events list displays the events that occurred in the system according to the specified severity and filter criteria Admin Dashboard Console Users identification Servers Server Groups Server Policies Security Alerts System Events Identity Theft Detection Messages Ticket Integration License SMTP Settings Monitor Log LDAP Settings Storage Archive Saved Sessions Audit System Log Latest Sessions W2K8 S8 QA 1 Admini Quick Help Installation Guide User Guide Configuration Guide Server Diary System Events User Diary System Events DBA Activity Activity Alerts System Events Notification Policy Severity All More Filters Configuration Search Reports Threat Detection Server All dl 1 20 0f55 Received Code 1304 1218 1301 1201 1221 1203 1219 1218 1304 1301 1220 1201 1221 1203 1219 1304 1231 1301 1220 3 01PM 3 01PM 3 01 PM 3 00 PM 3 00 PM 2 59 PM 2 59 PM 2 59 PM 2 58 PM 2 58 PM 2 57 PM 2 56 PM 2 56 PM 2 54 PM 2 54 PM 2 54 PM 2 52 PM 2 52 PM
31. W2K8 58 QA1 Admini g Session Replay Password CE W12 S12 QA0 Admini iiia 44 fa Quick Help J Remember this password until log out Installation Guide J Cancel OK User Guide Configuration Guide Copyright 2015 ObservelT All rights reserved 111 ObservelT Configuration Guide The Console User must enter the correct password and click the OK button If required the user can select the Remember this password until I log out check box to prevent the need to re enter the password for each session they want to replay Note If privacy is important make sure that the Console User logs out of the Web Console after replaying the required sessions Note The password is not required for making changes to the ObservelT configuration settings However if the client wants to remove the Session Replay Privacy Protection they will also need to know the master password This is in order to prevent the client s Console Users with Admin role permissions from temporarily disabling the Session Replay Privacy Protection without the proper authorization Note Session Replay Privacy Protection also applies to Saved Sessions and Reports To enable Session Replay Privacy Protection 1 Navigate to Configuration gt Security and click the Session Privacy tab Server Diary User Diary DBA Activity Activity Alerts Configuration Search Reports Threat Detection Session Privacy Admin Dashboard Console Users Session Re
32. next to the relevant LDAP target source LDAP Targets List LDAP Path Domain Name User Name Alias Type Created Date LDAP DC 0OBSERVEIT ar ee aay ay BSERVEIT SYS LOCAL NETWORK SERVI OBS EIT SYS Auto 3 20 Dele SYS DC LOCAL OBSERVEIT SYS_L L NETWORK SERVICE OBSERVEIT SYS Auto 3 3 7014 Delete A message is displayed warning you that you are about to delete an LDAP Source Important If you try to delete an LDAP Source when there are Forced Identification Users and or Console Users in the system you will receive an error message If there are no more LDAP sources and Identification Services was configured any user that tries to log on to the ObservelT monitored servers will be unable to do so Deleting the LDAP Source might prevent Forced Identification Users or Console Users from being able to pass the ObservelT Identification or log on to the ObserveIT Web Console To delete such an LDAP source you must either remove the Forced Identification Users or Console Users create a different LDAP Source or create Local ObservelT Users instead Click OK to proceed The LDAP target is deleted Changing the Default LDAP Email Field Name The user s email must be defined in the LDAP mail field name in order for the users to receive email notifications and especially notifications about user login events see Configuring Identity Theft Settings The default LDAP mail field name is mail but you can change this to a more specific user
33. organized by date time and color coded per severity level You can expand an alert row to view more details including the conditions which triggered the alert To view a list of alerts 1 Click the Activity Alerts tab The Activity Alerts page opens in List view which is the default mode 2 To switch to List mode from another viewing mode click the List icon in the Show area of the Activity Alerts page Copyright 2015 ObservelT All rights reserved 119 ObservelT Configuration Guide In List mode you can view a list of alerts that are already configured according to the specified filter criteria One line of information is shown about each alert Search Threat Detection Server Diary User Diary Reports DBA Activity Activity Alerts Configuration Activity Alert Activity Alerts Period Last 6 months v Between 1 1 12014 Fs and 2 28 2014 ma Severity High Alertrule All X More Filters Show De amp 1 20 a 12 8465 Next gt Last gt gt Time Alert Login User Server Video 2 9 2014 2 19 PM After hours Login to DB server administrator lan OlTHostedDem p A amp 7 56AM W Opened Hosts file administrator lan OlTHostedDem pa 5 15 AM After hours Login to DB server administrator lan OlTHostedDem fa 2 6 2014 A 8 31 PM After hours Login to DB server administrator lan OlTHostedDem ba 8 24 PM Opened Hosts file administrator lan OlTHostedDem ba 1 46
34. policy as follows 4 Offline Recording Policy Enable offline recording Offline storage location opt observeit agent run Default Limit per recorded machine 10 gt B v UNLIMITED Limit per recorded session 100 MB v a b c Select the Enable offline recording check box By default this check box is selected You can change the Offline storage location default directory opt observeit agent run which stores the offline data for recorded Unix Linux sessions You must provide a valid full path to the new offline storage location that is no spaces no forbidden characters it must start with a and so on otherwise you will receive an error message and the location will revert to the default Note If connectivity with the ObservelIT Application Server is lost when offline recording is enabled user activity data will be temporarily stored in the file system of the client machine until connectivity is restored and the data can be transferred to the Application Server For the Offline storage location you may specify the file system path where the recorded data will be temporarily stored or you can click Default to store the data in the Default product path which is a folder under the directory of the installed ObservelIT Agent If required you can define limits for the size of the offline storage per recorded machine and or per recorded session Limit per recorded machine Select this option to s
35. root 12 47 PM 12 47 PM 4 c65 64 3 10 1 100 29 localhost gatest 12 42 PM 12 45 PM D c65 64 3 40 1 100 29 Steps for Configuring ObservelT Identification Services To configure the ObservelT Identification Services 1 Inthe ObserveIT Web Console navigate to Configuration gt Identification 2 Create Forced Identification users Creating these users does not affect any actual user accounts it simply instructs ObservelT to require identification when any of these users log on to any ObservelT monitored server For further details see Configuring Forced Identification Users 3 Configure the authentication targets for these users Identification is performed against one or more LDAP targets or domains by adding Active Directory identification targets When no central Active Directory is available against which ObservelT Identification services can authenticate you will need to use local ObservelT targets for user authentication For further details see Configuring Active Directory Identification Targets and Configuring Local ObservelIT Identification Users 4 Configure which Active Directory groups can authenticate to the secondary ObservelT logon If the LDAP target is an Automatic type you can prevent users who are not members of a predefined Active directory group from gaining access and logging on to the monitored servers For further details see Configuring Active Directory Groups 38 Copyright 2015 ObservelT All
36. status After some time the file might take several minutes to generate the status will change to indicate that the file is available for download You can also view the number of slides that are included in the saved session the session s date and additional information Note The appearance of a 5 warning icon next to a saved session indicates that some slides may be missing from the session Even after receiving a warning about missing image data following a session integrity check the session could still be exported For further details see Windows Session Player in the User Guide Server Diary User Diary DBA Activity Activity Alerts Configuration Search Reports Threat Detection Saved Sessions Training Admin Dashboard Console Users Saved Sessions _ Session Name i Total Slides Create Server Login By Download Delete Video Servers a Case E Seon dani 5 1 6 2015 W2K8 S8 D02 Administrator Download 0 3 MB Delete a Server Policies Printthis information Print detailed information Security Comment Look atthe connection error in User Admin Comment Time 1 9 2015 3 57 PM Alerts ObservelT Installer fa System Events Start a Identity Theft Detection oaa a rive comma FE 5 1 6 2015 W2K8 S8 D02 Administrator Download 0 2 MB Delete a Ticket Integration License SMTP Settings Monitor Log LDAP Settings Storage Archive Saved Sessions 8 Click the Download link next to the saved recording Save the file to a lo
37. ticket number e Always require a valid existing ticket number The user will not be able to log in to the system without providing a valid ticket number 206 Copyright 2015 ObservelT All rights reserved Ticketing System Integration e Require a valid ticket number but also allow on the fly creation of a new ticket If the user does not have a valid ticket number the user can select the check box I don t have a ticket number Please create a new ticket and log me in and a new ticket will be created in the ticketing system e Ticket number is optional A ticket number is not mandatory for the user to be able to log in to the system a System Logo File optional Browse to select the logo image file to include the logo of the selected ticketing system The selected image is displayed in the preview box You can click Remove next to the image to change it Note that supported image formats are jpg png or gif maximum supported image dimensions are 160 pixels width x 40 pixels height 5 In the Select Servers section configure the servers and server groups on which the ticketing policy will be applied as follows e To browse for specific servers on which to apply the ticketing policy click the button and select the servers from the Server List then click Add e To apply the ticket policy to a group of servers select the server group from the Server Groups drop down list then click Add Options include All Serve
38. 00 and 18 00 Installation Guide User Guide or Day of week is v Sunday Saturday Configuration Guide LA From Which Client Currently Any client 2 Inthe Alert Rule Details section in the Name field edit the name of the alert rule 3 Provide a Description for the rule that explains its meaning or motivation 4 Select a Notification policy that defines who should receive email notifications when an alert from this rule is triggered and how often For example Daily digest for Division Managers Note To define a new policy click the icon see Defining Alert Notification Policies There is no default notification policy new alert rules are created with no policy which means that newly generated alerts will not trigger any email 5 Select the status of the alert rule Active or Inactive 6 Select the severity of the alert rule High Medium or Low 7 Edit the Who Did What On Which Computer From Which Client When conditions for the rule that will trigger the alert as described in the following topics e Defining the Who Conditions 164 Copyright 2015 ObservelT All rights reserved Activity Alerts e Defining the Did What Conditions e Defining the On Which Computer Conditions e Defining the When Conditions e Defining the From Which Client Conditions Note For descriptions of the logic for defining alert conditions see Understanding the Logic
39. 01 PM 2 03 PM Administrator n a WIN2003 OITSRV local 43 fa Deleting Local ObservelT Users Important Deleting a Local ObservelT user does not have any effect on the actual user object either in Active Directory or on the Windows Local Users However if this user is still listed in the Forced Identification Users section and configured in one or more Server Policies then since it will not be able to authenticate against any available Local ObservelT user that user will NOT be able to log on to the ObservelT monitored server Therefore take caution before deleting Local ObservelT users To delete a Local ObservelT user from the list 1 Navigate to the Configuration gt Identification page 2 Inthe Local ObservelIT Identification Users section click the relevant Delete link of the user that you want to delete Local Observell Identification Users These are the Local ObservelT Targets against which the users will authenticate 1 30f3 User Name Update Date Delete bennyt 1 12 2015 Delete davidg 1 12 2015 Delete jamest 1712 2015 Delete 50 Copyright 2015 ObservelT All rights reserved Identification Services A window opens warning that you are about to delete a Local ObservelT Identification user 3 Click OK to delete the user Forced Identification User Login After enabling and configuring ObservelT s Identification Services Forced Identification users that log on to the monitored servers will be required to
40. 1 Inthe Select Users section of the Advanced settings you can configure which users will receive the message as follows By default the message will be displayed to any user that logs on to the monitored servers Copyright 2015 ObservelT All rights reserved 195 ObservelT Configuration Guide You can exclude specific users groups from receiving the message by adding them to the Exclude list Select Users Send message to any users logging on to above servers To exclude specific users from logging on please enter Domain Name Login e g administrator or OBSERVEITdanielp Exclude Domain for all Login User v observeit sys local bd DEA Add Domain User Created Date Type Send message only to the following users To include specific users from logging on please enter Domain Name Login e g administrator or OBSERVEITdanielp Include Domain for all Login User v Domain User Created Date Type 2 To exclude a user group For each user group that you want to exclude enter the Domain name or select it from the drop down list specify the user s Login name group s Group Name and click Add The specified users groups are displayed in the list Note The Domain Name drop down list displays all the domains in the Active Directory forest in which the ObservelT Application Server is a member You can select to exclude any user with the specified login name from receiving the message rega
41. 100 133 Server Policy Default Windows b Changed Installation Guide 3 13AM Admin 10 1 100 133 Server Policy Windows Servers P Changed User Guide 3 13AM Admin 10 1 100 133 Server Policy Default Unix based Changed Configuration Guide 3 12AM Admin 10 1 100 133 Server Policy Windows Servers P Added Admin Dashboard Console Users identification Servers Server Groups Server Policies Server Diary Logins User Diary DBA Activity Sessions Configuration Changes Area Item Period Last 4 l Months v Activity Alerts Saved Sessions Configuration Server Policy v Default Windows based Policy v Search Reports Configuration Changes Filter the display of audit entries by selecting the search criteria as follows Threat Detection D Between 12 21 2014 E ana 12 29 2014 E Area select the relevant option from the drop down list or select All to display entries for all configuration areas Item select the relevant option from the drop down list or select All to display entries for all configuration items Period Date range specify the time period date range during which the changes were made After you have defined your search criteria click Show to display a list of audit entries according your selected criteria You can click Reset to revert to the previously filtered display Entries are listed in reverse chronological order For
42. 2EFF89337A8E lang en 2014 09 03T18 25 17 10000000 SQL statement start with Alert 1 this alert will be generated when someone will use command SELECT This is a Medium alert Medium Executed SQL command use observeitselect from dbo sessions http WIN QA2 4884 ObserveIT ActivityAlerts ActivityAlerts aspx keywor d 100000008vi ewmode Ful 1 00000000 0000 0000 0000 000000000000 OIT LAURENT WIN QA2 tsta local administrator n a D0B WIN QA2 ObservelIT Query use observeit select from dbo sessions 2014 09 04T10 57 06 10000015 Application name is calculator Alert 3 will be generated while running application calc exe Medium Ran application windows Calculator http WIN QA2 4884 observelIT ActivityAlerts ActivityAlerts aspx keywor d 10000015 amp vi ewmode Ful1 4ebb1ibb5 3bb1 49F8 b089 9c6302954d08 OIT LAURENT WIN QA2 tsta local administrator n a Calculator windows Calculator calc http WIN QA2 4884 ObserveIT Slideviewer aspx Sess7iOnID 4EBB1BB5 3BB1 49F8 B089 9C6302954D08 amp Di spl ayonAir false amp SSID 0D125495 CE1A 4 3E4 9716 BDODA9B4A176lang en 2014 09 04T10 57 15 10000016 process name is wordpad Alert will be generated when someone will use wordpad Low Ran process wordpad http WIN QA2 4884 ObserveIT ActivityAlerts ActivityAlerts aspx keywor d 10000016 amp viewmode Full 4ebbibb5 3bb1 49F 8 b089 9c6302954d08 OIT LAURENT WIN QA2 tsta local administrator n a Document wordPad windows w
43. 39 PM 5 23 18 PM To view messages in the Session Player e Inthe Configuration gt Messages gt Views tab click the Video a icon next to the relevant message to replay a user session which will display the message as the user experienced it Copyright 2015 ObservelT All rights reserved 199 ObservelT Configuration Guide Deleting Messages After a message is created it can be easily deleted Note A deleted message cannot be re enabled To delete a message e Inthe Configuration gt Messages page click the Delete link next to the message you want to delete Server Diary Admin Dashboard Console Users Identification Servers Server Groups Server Policies Security Alerts System Events identity Theft Detection Messages Ticket Integration License SMTP Settings Monitor Log LDAP Settings Disabling Messages User Diary DBA Activity Activity Alerts Ee EL Search Messages Views Create a new message Manage Messages er v Server Status All 1 10f1 Message Name Modified Date Posted By Active Messages Warning message 1 12 2015 6 57 16 PM Admin Active Messages 1 Disabled Messages 0 Expired Messages 0 Reports Views 0 Threat Detection Edit Disable Delete Click to delete this message After a message is created it can be easily disabled Disabling a message allows you to temporarily prevent it from being displayed Disabled mes
44. 5 7 0 0 100 observerTuseractivity 1 catauseractivity cs20S windows dhost Q20w2K8 dntdom Q20W2K8 cs3ViewURL http Q20w2K8 ObservelIT Slideviewer aspx SessionID 7 90F 5439 99E 3 4CE4 BA5D 44766A5CE807 amp DisplayonAir false amp lang en amp SSID 33854AB4 1235 4A3B 81A8 AEA281E529B2 cs4command dproc ObservelIT duid Administrator duser n a dvchost OIT RACHELI dvcpid msg Microsoft SQL Server Management Studio rt Aug 11 14 13 08 shost OIT RACHELI sproc src sntdom suser n a suid n a destinationServiceName SSMS SQL Server Management Studio deviceProcessName end Aug 11 14 13 08 start Aug 11 14 13 08 Aug 11 14 13 25 host CEF 0 ObservelIT ObserveIT 5 7 0 atid eta Slat fa Nr cn1 10000004 cniRuleDescription Alert when using Sql managment cslAlertDetails Executed SQL command selec rom databaseconfiguration Ran application SSMS SQL Server Management Studio cs5AlertDetai IsURL http Q20W2K8 4884 ObserveIT ActivityAlerts ActivityAlerts aspx keywor d 10000004 amp vi ewmode Full cs20S windows dhost Q20W2K8 dntdom Q20W2K8 cs3VieWURL cCS4SQL DB Q20W2K8 ObservelIT Query select from databaseconfiguration dproc ObserveIT duid Administrator duser n a dvchost OIT RACHELI dvcpid 10 1 100 96 msg rt Aug 11 14 13 25 shost OIT RACHELI sproc ssms src 10 1 100 96 sntdom n a suser n a suid n a destinationsServiceName deviceProcessName ssms end Aug 11 14 13 25 start Aug 11 14 13 25 Aug 11 14 13 25 host CEF 0 ObservelT ObserveIT 5 7 0 0 cs20S windows dhost Q20W2K8 dnt
45. Alert Browsing SETTINGS pages details 10000004 OBSERVEIT PMimicky IBSERVEIT PM 7 20 2014 1 Opened window Visited URL 7 21 2014 1 27 PM 7 21 2014 12 35 PM 7 20 2014 12 17 PM 7 20 2014 12 17 PM 7 20 2014 12 16 PM 7 20 2014 12 Unix privileged Browsing Browsing Browsing Browsing Browsing deletion or copy SETTINGS SETTINGS SETTINGS SETTINGS SETTINGS 5 In maximized view you can see a slideshow of the alert screenshots with alert details emphasized 6 Use the and lt buttons to move through the slideshow 7 Select a slide in the slideshow to see the details of an alert maximized 8 Click the Video a icon to open the Session Player at the screen location where the alert was generated 124 Copyright 2015 ObservelT All rights reserved The following shows an example of a video replay of a session during which a number of alerts Activity Alerts occurred The color of the ring around the alert icon shows the alert severity high red medium orange or low yellow ObservelT Session Player Internet Explorer gt oo Recyda Ein ried Geode Chone Reselerli http 166 78 110 125 4884 ObservelT SlideViewer as G i d r Ej General Account Settings x e c 5 Do you want Google Chrome to save your password Save password Newer for the she General Account Settings Google Chrome 1 5 observe it G OOOH px SessionID b14bf946 9fcc 4278 9b45 3ff1c9
46. Alert Rule Name A unique name that describes the alert rule For example Opening hosts file Status Active or Inactive When an Alert Rule is inactive new alerts are not generated but old alerts are fully accessible The default status for new rules is Inactive Updated on Date the rule was last updated Updated by User who last updated this rule To view more details you can click next to an alert rule in the list or you can switch to Details mode as described below To view alert rules in Details mode e Inthe Show area of the Activity Alert Rules page click the Details icon to view details for all alert rules on the page The Details mode displays a description and a textual summary of the rules parameters that is Who Did what On which computer From which client When for all the rules in the list In Details mode you can view details of the alert rules including a description and details of exactly Who Did what On which computer From which client When Description A description that provides a motivation for the alert rule For example Alert if user views hosts file in typical editors Who is the user on which the alert was generated Did What What actions did the user do From Which Client Name of the client domain name or client IP address What day date time did the action occur Alert Rule Tasks On Which Computer Name of the computer on which the action occurred
47. Alerts Viewing Alert Details Who Did What In Details mode you can view details of the conditions that contributed to the generation of the alert You can see exactly Who Did what On which computer From Which client and When For details of the conditions and instructions on how to configure them see Creating Alert Rules To view the alerts in Details mode 1 Inthe Show area of the Activity Alerts page click the Details icon The Details mode displays the expanded details for each alert same as if you clicked to expand each list view item Server Diary User Diary DBA Activity Activity Alerts Configuration Threat Detection Activity Alerts Activity Alerts Period Last 1 Months v O Between 07 15 2014 5 and 07 23 2014 E3 Severry All v Alert rule All v El Mcre Filters Server All v Login All v Server group All v User secondary All v Client All v Flagged Y All x Alert ID Reset Show on D g m 1 110111 Time Alert Login User Server Video 7 21 2014 O amp 03 05 PM Browsing SETTINGS pages micky n a OBSERVEIT PM fa 3 Who OBSERVEIT PM micky View rule details E did what Microsoft SQL Server Management Studio 3 On which Computer OBSERVEIT PM CJ From which Client OIT MICKY 10 1 100 100 When Monday 7 21 2014 3 05 PM et IL a O amp 01 27 PM Unix privileged deletion or copy micky n a oit pm linux ba 2 Who none micky View rule det
48. Application Servers Identification Data Integrity Servers When Session Data Integrity is enabled a SS warning icon will appear next to the Slides number in the Server User Diary Server Groups indicating the session data was tampered with Server Policies i U Enable Session Data Integrity Security Alerts App Server Name ID Image Security Installation Security Last Updated W2K8 S8 D02 bf36813f efd3 4d47 b073 cd1278ba3ae off Off 1 11 2015 System Events ee dm In the Application Server Image Security Encryption window select the Enable Image Security check box Make sure the Digital Certificate listed matches the one you have obtained for the Application Server If no Digital Certificate is listed the image security cannot be enabled Click the Update button Click OK to acknowledge the changes 5 10 3 0 59 4884 ObservelT AdminApplicationServerlmageSecurity as Application Server Image Security Encryption When Image Security is enabled the ObservelT Agents and Application Server will use a token exchange mechanism to encrypt all session data In addition recordings will be digitally signed by the Application Server when it is stored in the database l4 Enable Image Security Select Certificate WIN2003 OITSRV oit demo local Cancel Update e The images will now be protected in the database Important If you have previously set SSL for communicating with the ObserveIT Managemen
49. Configuration Guide Henceforth whenever someone opens the Date and Time applet the Sticky Note will pop up on the screen with the warning message Date and Time Properties Date amp Time Time Zone Internet Time 1 B345 6 7 6 9 10 41 12 13 14 15 16 17 18 19 20 21 22 23 24 25 2 27 2 29 39 as 1 Do NOT chenge the time without Current bme zone Jerusalem Daylight Time consuting with Daniel st 972 Press F12 to view more details After a few seconds the Sticky Note popup will fade away Generating a Sticky Note Report You can generate a report of all Sticky Notes that have been created to view the resource to which the Sticky Note is attached and who has viewed the note To generate a Sticky Note report 1 Navigate to Reports gt Sticky Notes A list of all the Sticky Notes appears Reports Sticky Notes Reports ya Manage Sticky Notes Latest Activities Installed Software Results 1 2 of 2 Servers Software Image User Date Created Last Accessed View Log Delete Install Uninstall sooo ees Sticky Notes n a 11 8 2009 11 8 2009 View Log Delete Latest Sessions WIN2003 SRV Admini WIN2003 SRV Admini Quick Help n a 11 8 2009 11 8 2009 View Log Delete Installation Guide di User Guide Configuration Guide 2 Click the View Log link next to the required item to view a list all the instances of when the Sticky Note was displayed in the system To delete a Sticky
50. Date User Check All Clear All LJ User Name J Login Name _ User Identity U User Authentication U Domain Name Preview Cancel Next Save Note You can always return to this step and add or remove columns and gradually obtain the report that you need by using a trial and error process Also at any point you can cancel the process or advance to a different step without having to go through all the steps in chronological order 7 Instep 2 of the report configuration wizard you can specify the way the report results will be erouped by specifying the following fields e Group By for example Session Start Date Session End Date and then by Server Name e Sort Order for example Ascending e Group Dates By for example by Week You can always return to this step and add or remove columns and gradually get the report that you need using a trial and error process 268 Copyright 2015 ObservelT All rights reserved Managing Reports When finished click Next Reports Reports Report Report Name Latest Activities P i Installed Software Step 2 4 Grouping selection Servers Software Select Groupin v Install Uninstall Jump to Step ping Sticky Notes Select the way the report results will be grouped You may choose up to 3 fields to group by Latest Sessions Group By Sort Order Group Dates By W2K8 S8 D02 Admini Session Start Date hd Ascending v Week v Q
51. Low v Set continuous recording seconds OFF v 3 Click Save to save the changes Setting changes will take effect on new user sessions after the current sessions are closed Enabling Agent API Note This feature is supported only on Windows based server policies The ObservelT Agent software s Application Programming Interface API allows programmers to control the Agent recording status Enabled Disabled Started or Stopped which applications or URLs are recorded and other settings Although this API is protected in order to prevent the wrongful usage of this API by malicious users the API is disabled by default If you intend to use the API you must enable it You can enable the Agent API manually per server Agent from the Configuration gt Servers page or by using Server Group Policies to configure many servers Agents simultaneously To enable the Agent API using Server Policies 1 Inthe Configuration gt Server Policies page click Create or select a server policy template default Windows based policy 76 Copyright 2015 ObservelT All rights reserved Configuring Server Policy Settings 2 Inthe System Policy section of Server Policy Template page select the Enable API check box By default this check box is disabled Server Policy Template Back to Server Policy Templates Linked Servers Cancel Save Name Default Windows based Policy m System Policy Enable recording
52. Medium Unreachable Disabled Green Normal Active OK Blue Low Administrative Unregistered Uninstalled See also Colored Severity Levels and Icons in the Admin Dashboard section Date and time that the event was triggered Code that identifies the event Category to which the event belongs Identity Theft Installation Functionality Data Loss Tampering Communication Recording Name of the event that occurred Server on which the event occurred Copyright 2015 ObservelT All rights reserved 177 ObservelT Configuration Guide Note Offline event rows are colored gray in the System Events list as shown in the above figure When an event occurs offline when the system is online again you can easily view and identify the offline events in the System Events list 2 You can expand an event to view more details E f 2 52PM 1220 Tampering Process was killed and automatically restarted W2K8 58 QA11 Severity High Component Agent Source Agent Status Details Process killed Event Description The Agent process was killed and automatically restarted by Watchdog Email Sent No Additional Info Comment redcl exe Login Name Administrator Domain Name W 2K8 58 0A41 7 Remediation Status New Comment Add Comment Depending on the event type the information may include e Severity the event severity High Medium Low e Component the component type on which the event was reported for example Agent e So
53. Note click the adjacent Delete link on the right of the item You will NOT be prompted for your approval Clicking the Delete link immediately deletes the Sticky Note 264 Copyright 2015 ObservelT All rights reserved Using Hotkeys Context Sensitive Search ObservelT constantly monitors the resources and applications accessed by users on the monitored servers As a result you can see all previous accesses of any particular resource or application The Context Sensitive Search feature allows you to easily search for the resource you are currently accessing The Context Sensitive Search feature is accessed by using the F12 Hotkey By pressing F12 ObservelT s Context Sensitive Search searches through the database and displays a list of all previous instances where the same application or resource was accessed In the following example a user is using the Command Prompt By pressing F12 ObserveIT s Context Sensitive Search will display a list of all previous sessions where the Command Prompt has been accessed observe ft Enterprise _ Signin web Console Sticky Notes Results Image Description User Name Server Name Date Created Search Results Filter By User Name choose v Login choose Z Server choose id Image Description Login Name User Name Server Name Date pea y i na Administrator n a WIN2003 SRV1 11 08 2009 n a Danielp n a WIN2003 SRV1 11 08 2009 n a Administrator n a WI
54. ObservelT An Administrator can make changes to the ObservelT configuration and is allowed to view all session recordings This is the default role e The View Only Admin role can view session recordings but cannot gain access to any ObservelT configuration option e The Config Admin role allows administrative access to the Web Console without the ability to review user activity logs or screen recordings Config Admin users can only access specific configuration areas and can manage only other Config Admin user accounts See the following topics e Creating Local or Active Directory based Console Users e Creating and Managing Local Console Users e Creating Active Directory Console Groups e Assigning Console User Permissions to View Recordings 30 Copyright 2015 ObservelT All rights reserved Console Users Creating Local or Active Directory based Console Users You can easily create additional Console Users When you create a Console User you can create either Local Console Users which will be created in the ObservelIT database or if an LDAP Target has been established Active Directory based Console Users If the server on which the ObserveIT Application server is installed is a member of an Active Directory domain that Active Directory domain will be automatically added to the list of LDAP Targets and will be configured as an Automatic type LDAP Target This will enable the usage of Active Directory users and groups fro
55. PM After hours Login to DB server administrator ami OlTHostedDem ba 1 17 PM Opened Regedit administrator lan OlTHostedDem 12 27 PM Y After hours Login to DB server administrator dpetri OlTHostedDem fa Note You can print the Alerts list and or export it to Excel see Printing and Exporting Alerts Alerts can be deleted ONLY by ObserveIT Administrators see Deleting Alerts For each alert the following information is displayed according to the filtered details see Filtering Alerts wooo Click to show details of the alert Time that the alert was triggered Alerts are generated as close as possible to the time they occur In case of a delay between the alert generation and the time of reporting it such as Agent offline communication issues and so on the date and time of the alert reflects the time it was generated regardless of the delay Flag icon Indication of whether the alert is currently flagged for follow up Alert Name of the alert that was triggered For example After hours login to DB server Login Login name of the user who ran the session in which the alert occurred User Secondary identification of the user who ran the session in which the alert s occurred Server Server on which the alert occurred Video ra ion When clicked opens the Session Player at the screen location where the alert was generated 120 Copyright 2015 ObservelT All rights reserved Activity
56. Remediation New Status View Details 184 Copyright 2015 ObservelT All rights reserved Identity Theft Detection Identity Theft Detection Due to the multiple security challenges we face today there is a need for a higher level of security to protect users from identity theft When identity theft occurs fraudsters impersonate the identity of someone else in order to access their computer The ObservelT Identity Theft Detection solution is designed to detect access to ObservelT monitored servers from unauthorized client computers When Identity Theft Detection is enabled and users are logged on to ObservelT monitored servers ObservelT administrators or security officers will be notified about any suspicious login A suspicious login is defined when a user tries to log in from an unauthorized client machine ObservelT keeps track of authorized user login IDs and their client machines by pairing the domain name login name of the user with the client computer from which the user is logged in If a user logs in to a server from a client that is not paired to the user an email is sent to the user stating that there is a suspicious login with this user s credentials For further details see Configuring Pairing Requests Events are generated for each and every login whether or not they originate from paired user clients If a user requests a user client pairing a pairing request event is issued The administrator can track and monitor
57. SAMPLE Sessions New comments to sessions during the 4 22 2012 Admin Run Cached Schedule Copy Edit Delete Comments Report Past last24 hours Day 2 Click the Create New Custom Report button 266 Copyright 2015 ObservelT All rights reserved Managing Reports The report configuration wizard opens Reports Reports Reports Report New Report Latest Activities Installed Software Report type selection Servers Software Install Uninstall Sticky Notes Please select the report type based on the type of information you want to focus on All computers Latest Sessions Windows based computers only D18W3S5 2 Admini Quick Help Unix based computers only Audit Sessions Audit Logins z z Audit Saved Sessions ance e installation Guide User Guide Configuration Guide 3 To specify the report type 1 From the list on the left select an option to specify the type of information on which to base the report Servers Users Applications Commands Comments Messages Tickets Audit Sessions Audit Logins or Audit Saved Sessions 2 Select an option on the right to specify the platform computers to focus on in the report Windows based Unix based or All computers For purpose of this example select Servers and All computers 4 Click Next The resulting report is based on the type of report you selected For example choosing a Servers type
58. Scenarios The following scenarios provide some examples of how you can use the Executed Command options to configure alert rules Note For purposes of these examples the scope of the alert rule is per session which means that an alert will be generated only on the first occurrence of every unique match of the rule in each session Full details about defining the scope of rules are provided in Defining the Did What Conditions 154 Copyright 2015 ObservelT All rights reserved Activity Alerts Trigger an alert when _ User is trying to grant more Executed Command Permissions are root Unix user tries to permissions by using su or other than own change credentials toa sudo commands or by or Executed Command Command name privileged user running a command that is su sudo grants root permissions Trigger an alert when Unix user is trying to remove _ Executed Command Command name is Unix user tries to a directory containing rm Ae oon A directory running rm command using observeit r or f flags S 8 and Executed Command Switch is r f Trigger an alert when a Remote contractor with root Executed Command Command name is new user is added with permissions creates a new useradd that is create a new user root permissions user account with root and Executed Command Switch is o permissions that is create duplicate user ID and Executed Command Switch
59. Search Reports Threat Detection Pairing Requests Settings Admin Dashboard Console Users Settings Servers Email Server Groups Toer A An email will be sent to these email adresses upon every new pairing request Security Email ee E Alerts W danny gmail com J sue observeit com System Events identity Theft Detection Messages Ticket Integration Expiration License Pairing Expiration Period Never SMTP Settings Policies Monitor Log Select one or more Server Configuration Policies from the lists below Identity Theft Detection will be enabled on the selected LDAP Settings policies l Apply to Server Policy Templates Storage paran Policy Name rd amp Default Metadata Only Policy W Default Recording Disabled Policy v A Default Unix based Policy amp Default Windows based Policy Saved Sessions Audit System Log Latest Sessions ae Apply to Server Policies W2K8 S8 QA1 Admini ene aaa W2K8 S8 QA1 Admini o 4 Manual c55 64 5 W12 S12 QA0 Admini Manual D003R232SQL5 Quick Help IF Manual DOO8R264SQL8 Manual D403SP232SQL5 Installation Guide User Guide Note Only servers that have manual configuration settings are listed Configuration Guide Email Template Below is an example of the email text that will be sent to the user You can add edit information in the text box provided Subject Suspected use of your
60. Security Alerts System Events identity Theft Detection Messages Ticket Integration License SMTP Settings Monitor Log LDAP Settings Storage Archive Saved Sessions Audit System Log Latest Sessions OIT LILI Admini OIT GUYG UserNa WIN DBG UserNa OIT NAT UserNa D11W3S5 1 UserNa c58 32 14 UserNa D17W8S8 2 Admini aix7 dv1 UserNa Server Diary LDAP Settings User Diary DBA Activity Activity Alerts Configuration Search Reports Threat Detection Authentication Configuration Automatic LDAP Target Note Clicking the Detect Domain Controller button will first detect whether the ObservelT Application Server belongs to an Active Directory domain If true an automatic type LDAP path will be added to the LDAP list below Only automatic type Auto domains can be used for Active Directory Groups Detect Domain Membership Synchronize LDAP Groups Type the correct LDAP path by using the following example LDAP Domain Controller Name or IP DC Domain Name DC Suffix for example if your Domain Controller name is OBS DC1 and your domain name is OBSERVEIT SYS LOCAL then use the following LDAP path LDAP OBS DC1 DC OBSERVEIT SYS _DC LOCAL Note If no name resolution is possible you might need to enter the Domain Controller IP address instead LDAP Path LDAP II Secure LDAP Enter user credentials to verify the LDAP path User Name min Password fo Add amp V
61. Service Health Monitoring Service or select All to view all events Copyright 2015 ObservelT All rights reserved 179 ObservelT Configuration Guide Login To search for events by the login name of the user who ran the session in which the event s occurred select an option from the list or select All Client To search for events by the client computer from which the user logged in specify the details or search for it or select All to view all events To search for a specific event by ID type the event ID in the text box Status Details To search for events by status details select an option from the list Service Stopped Service Terminated and so on or select All to view events per all status details For further details see Assessing Agent Statuses and Details Event Code To search by event code select an option from the list or select All to view all events You can click to view a list displaying the code numbers and details of all events Source To search by source the component that reported the event select an option from the list or select All During the live monitoring of ObserveIT events can be triggered from the following sources Identity Theft events are triggered by user login or pairing requests Agent events are triggered by the Agent for example during health check monitoring Notification Service events are triggered by the Notification Service for example Monitor log could not
62. The Executed Command group includes the following options for configuring conditions Option Description When should I use this Examples option Command The name of Use this option if you want If a Unix user is trying to remove a name the Unix to be alerted when the user sensitive directory you might define command that runs a specific Unix the following condition the user ran command Executed Command Command name is rm Other examples of command names include su emacs tail ls sudo setuid Full path The full path of Use this option if you want usr sbin oitcheck rm the command __ to configure an alert based including any on the explicit path of a command line command arguments Argument The object of Use this option if you want If the user is trying to remove a the Unix to configure an alert based sensitive directory such as observeit command on a command s objector you might define the following user action condition Executed Command Argument is observeit Other examples of arguments include sys admin oracle r f Copyright 2015 ObservelT All rights reserved 153 ObservelT Configuration Guide Switch The switch The Switch option In the case of a user trying to remove a flag that provides more search sensitive directory the following defines the combinations than the condition might be used action on the Argument option Executed Command Switch is rf command
63. Ticket Integration f 3 01PM 1218 Tampering Agent offline data files were tampered with W2K8 S8 QA11 License 93 01PM 1301 Functionality Application Server is not working properly W2K8 S8 QA11 SMTP Settings 3 00PM 1201 Functionality Agent service has started W2K8 S8 QA11 Monitor Log 3 00PM 1221 Communication Agent machine and service are accessible c59 32 3 LDAP Settings f 2 59PM 1203 Functionality Agent service was terminated W2K8 S8 QA11 Storage 92 59PM 1219 Functionality Agent service not responding c59 32 3 Archive 2 59PM 1218 Tampering Agent offline data files were tampered with W2K8 S8 QA11 Saved Sessions 92 58PM 1304 Functionality Application Server is running W2K8 S8 QA11 Audit 92 58PM 1301 Functionality Application Server is not working properly W2K8 S8 QA11 System Log 92 57PM 1220 Tampering Process was killed and automatically restarted W2K8 S8 QA11 92 56PM 1201 Functionality Agent service has started W2K8 S8 QA11 Latest Sessions 2 56 PM_ 1221 Communication Agent machine and service are accessible c59 32 3 W2KS S8 QA1 Admini 2 54PM_ 1203 Functionality Agent service was terminated W2K8 S8 QA11 Quick Help 2 54PM_ 1219 Functionality Agent service not responding c59 32 3 92 54PM 1304 Functionality Application Server is running W2K8 S8 QA11 installation Gui ea 2 52PM 1231 Data Loss Offline data loss threshold exceeded W2K8 S8 0A11 User Guide 2 52PM 1301 Functionality Application Server is not working properly W2K8 S
64. Unix based server policies By default ObservelT is configured to record all the users that log on to any monitored computer However if you do not want to record all users that log in ObservelT lets you configure a recording policy that specifies which users and or user groups to include exclude from being recorded If required you can record just metadata for users groups that you want to exclude from being recorded Note ObservelT easily integrates with your Active Directory forest enabling you to include or exclude user and groups from any domain in the forest in which the ObservelT server side components are installed and in which the ObservelT Agents are deployed if different Cross forest trusts can also be used Although using groups from Active directory domains is possible with any group scope domain local global or universal it is recommended that you follow Microsoft s best practices on group object usage For further details refer to Active Directory Best Practices You can configure a user recording policy manually per server Agent from the Configuration gt Servers page or by using Server Group Policies in the Server Policy Template page to configure many servers Agents simultaneously To configure the ObservelT Server to record all user sessions except for a few specific users or groups using Server Policies 1 Inthe Configuration gt Server Policies page click Create or select a server policy template W
65. Windows logon screen Unix prompt with another account either from Active Directory or from the Local ObservelT Identification Users database In the Apply to Server Policy Templates section update the server policy templates by selecting the check boxes of all the server policies on which you want to configure the user s You must select at least one check box but you can make changes to these settings later Apply to Server Policy Templates Click to select one of more Server Configuration Policies from the list below Anytime the above user will log on to any ofthe servers that are linked to the selected policies they will be required to provide secondary authentication credentials Hote The Enforce login check box in the selected policies must be turned on in order to take effect Policy Name Enforce login is turned on F Default Windows based Policy Yes 3 j E Default Metadata Only Policy Yes E Default Recording Disabled Policy No Default Unix based Policy Yes Note the following 1 Inorder for Forced Identification users to be prompted to enter their secondary credentials Enforce Login must be turned on for the selected Server Configuration Policies To enable Enforce Login select the check box in the Identification Policy section in the Server Policies Template window accessed from the Configuration gt Server Policies page For further details see Identification Policy 2 You can also configure a recording policy for
66. and In Process events e New e In Process e Closed Copyright 2015 ObservelT All rights reserved 181 ObservelT Configuration Guide 2 Click Show to show the events based on the specified remediation status Configuring Email Notification Settings for Events Administrators can assign a notification policy to each system event to designate who gets notified by email for which event types and at what frequency The system events notification policy determines whether the recipients receive immediate notification with separate emails upon each event digest emails of event activity per specified number of minutes or digest emails on a daily basis at a fixed time For example IT security officers in charge of handling high severity system events can be notified immediately upon every event with a separate email for each system event notification Events of lower severity or priority can be sent to relevant personnel in digest emails at predetermined intervals Other individuals such as compliance officers or managers may require only a daily summary of the day s system events To configure the System Events Notification Policy 1 Navigate to Configuration gt System Events 2 Click the System Events Notification Policy tab 3 4 182 Threat Detection Reports User Diary DBA Activity Activity Alerts Configuration Search Server Diary System Events System Events Notification Policy Ad
67. and the Servers list displays the group members You can manually change the group in the Group drop down list to match your requirements to view the relevant servers To modify a member s properties in the Servers list click the name of the server you want to modify In the server s properties page edit the relevant fields and click Save to save the changes To remove a server from the server group 1 In the Servers list click I next to the server that you want to remove and click the Remove link located on the right of the expanded details Servers Group Finance Servers v Server Name Status All v E More Filters 1 10f1 Server Name Server Policy Version Status Installation Last Activity w2k8 S8 D02 Default Windows based 5 8 0 0 OK 1 6 2015 1 6 2015 Remove System Events OS Type Windows OS Version Windows Server 2008 R2 A message is displayed warning that you are about to remove a server from a server group Copyright 2015 ObservelT All rights reserved 65 ObservelT Configuration Guide 2 Click OK to proceed The server is removed from the server group Note Removing servers from a server group may affect the permissions that are assigned to one or more Console Users In such a case a Console User might not be able to access these servers anymore Deleting Server Groups To delete a server group 1 Navigate to Configuration gt Server Groups 2 Click the Delete link next to th
68. by Server Past Week Name SAMPLE Apps usage per Report all apps used on the 25 10 09 admin Run Cached Schedule Copy Edit Delete Server grouped by App monitored servers Grouped by Name Past Week App Name Copyright 2015 ObservelT All rights reserved 275 ObservelT Configuration Guide 2 When editing a report you can freely move between the steps of the configuration wizard and make changes For example change the report from grouping by Server Name to grouping by Login Name Reports Latest Activities Installed Software Report All Remote Desktop Sessions in the past month Select the grouping for which you would like to calculate summary information Step 2 of 4 Servers Software Select Groupin v Install Uninstall Jump to Step ping Sticky Notes Select the way the report results will be grouped You may choose up to 3 fields to group by Latest Sessions Group By Sort Order Group Dates By W2K8 S8 D02 Admini Login Name Ascending v Week v Quick Help and then by Sort Order Group Dates By None v Ascending v Week 7 Installation Guide U Guid PERT and then by Sort Order Group Dates By None v Ascending v Date v Configuration Guide 3 Atthis point you can click the Preview button to view the results of the report and make modifications to the filter as required 4 When finished making the changes click Save The Generate Report Save Report page opens
69. can expand the Agent to view more details including status details when not OK OS type and OS version Servers Group All Servers v Server Name Status AIl v More Filters Server Policy All v Agent Type All v OS Type All v OS Version All v Version All v Status Details All v Activities Installed 1 20f2 Server Name Server Policy Version Status Installation Last Activity c59 32 3 Default Unix based Policy 5 8 0 153 OK 1 7 2015 1 17 2015 E W2K8 S8 QA11 A Default Windows based 5 8 0 0 0K 1 7 2015 1 17 2015 Unregister System Events OS Type Windows OS Version Windows Server 2008 R2 Copyright 2015 ObservelT All rights reserved 27 ObservelT Configuration Guide For explanations of the icons and colored severity levels of system events and operational statuses see Colored Severity Levels and Icons System Services In the System Services portal located at the top of the Admin Dashboard you can view information about the following system services to verify whether they are working properly e Notification Service impacts whether there are archives event emails and scheduled reports e Health Monitoring Service impacts whether system health statuses are reported and whether the data displayed in the Admin Dashboard is updated e Rule Engine Service impacts whether alert rules are created From the System Services portal you can drill down to investigate related system events in order to identify
70. commonly used for large deployments or when the SQL Server database has performance issues Recorded visual images can be stored either on the local hard drive of the ObserveIT Application Server or on a file share in the network For further details see Storing the ObservelT Screenshots in the Installation Guide Note When using file system storage there is still a need to maintain the SQL Server database in order to store the recorded textual metadata image pointers and the ObservelT configuration settings Configuring Database Storage The SQL Server database is used to store configuration data textual audit metadata and possibly unless the file system is used the screenshots captured by the ObservelT Agents for video replay The database continuously grows as more sessions are recorded To prevent data loss as the database becomes full ObserveIT enables you to configure additional storage space You can configure a threshold as a percentage of allocated disk space specifying the maximum disk space that is allocated for the database A system event is generated when the database storage threshold reaches its configured limit alerting you to configure additional storage space by updating the specified threshold or by running the archive process For details about configuring ObservelT archive storage see Archiving Information Configuring File System Storage If you are using the file system for screen capture storage you mus
71. credentials Body User domainName userName performed login from client machine clientMachine Details Description description Login Shared Account login User userName Client clientName IP Server serverName Date date Time time If this activity was not initiated by you click here If you want to avoid receiving notifications when DomainName LoginName is logged in from clientName click here 3 Inthe Email field enter the user s email address and click Add The email address is added to the list 4 Repeat the above step for each email address you want to add To remove an email address from the list select it and click Remove Defining the Pairing Expiration Period When approving a pairing request the administrator must specify the length of time that the approved request will be valid To define the expiration period after which approved pairing requests will no longer be valid 1 Inthe Configuration gt Identity Theft Detection gt Settings tab select the email address es for which you want to define a pairing expiration period 190 Copyright 2015 ObservelT All rights reserved 2 Identity Theft Detection From the Pairing Expiration Period drop down list select the length of time that you want to allow approved pairing requests for these email addresses users to be valid Options are 3 months 1 year 3 years or Never After the specified e
72. e MMC exe e Regedit exe o Mstsc exe To change either the particular Server s Configuration Policy or the Server Configuration Policy that affects that server 1 Navigate to Configuration gt Server Policies 2 Click the relevant policy to open its configuration page 224 Copyright 2015 ObservelT All rights reserved Recording Metadata Information 3 Inthe Application Recording Policy section select the Record only the following applications option 4 From the Applications drop down list select and add the specific applications After making the changes the relevant screen section should look like f Record only the following applications To activate recording video amp metadata for a specific application please select the process name from the list and click Add You can add multiple applications to this list Applications Registry Editor regedit Record URL C Exact Match Windows Command Processor cmd Microsoft Management Console mmc Notepad notepad C Record metadata for all applications whether added to the list or not Video will be recorded only for applications that appear on the list 5 When you have finished configuring the server click Save 6 Read the warning message and if you are satisfied with your changes click OK to proceed or Cancel to discard your changes Note As noted above in the first option for other scenarios you can configure the Record Metadata
73. enabling you to find exactly Usage examples what you need e Switch is rf that is both switches For example if you are a are on looking in an alert rule for a a ee Switch is r f that is either the argument r the a l i switch is on switch option allows you to use ri or i which Switch is not r f that is neither extends the range of your switch is on search options Permissions The logged in Use these options if you Executed Command Permissions user s want to generate an alert if are own checks if the user logged permissions a user tries to change or in with their own credentials are Own switch credentials Executed Command Permissions senna other than own checks if the user own logged in with their own credentials and then switched to are root someone else s credentials via the ate Or oitcheck su command other than enn Executed Command Permissions are root checks if the user logged in with root credentials Executed Command Permissions are root other than own checks if the user logged in with their own root credentials and then switched to someone else s credentials via the root su command Note On Noles Om Unne Minuxoperaine Gsremis user names tile direction siames commandsamacommuce operating systems user names file directory names commands and computer names are all case sensitive Unix Linux alert rules are also case sensitive Example
74. for specific users In addition you can configure messages to be displayed constantly for a few hours or until a specified date or time Messages can be used to receive input from the user s logging on to these servers After users see a message they can provide textual feedback such as information about the reason for their logging on the server s the purpose of their connection the actions they intend to perform contact information ticket or support request numbers and more This feedback is recorded in the ObservelT console and can be viewed by an ObserveIT Admin or View Only Admin depending on their role and permissions scope Unless specifically configured to lock the user s desktop messages do not prevent users from continuing their actions and performing tasks on the server s for which the messages apply To prevent users from performing harmful actions use the built in Windows permissions and user rights mechanism Users must acknowledge the message s they receive This acknowledgment is recorded in the ObservelT console and can be used as proof that the user s have indeed been warned about a specific task and that they understood and accepted the message If a reply is configured as mandatory the user must enter a text reply in addition to acknowledging the message Note The Mandatory Reply feature is supported only on Windows Agents that are running ObservelT version 5 6 0 and above It is not supported on Unix or L
75. global or universal it is recommended that you follow Microsoft s best practices on eroup object usage For further details refer to Active Directory Best Practices If the server was not a member of any domain during the ObservelT installation after adding the server to a domain you will be able to add the LDAP target later If the server on which the ObservelT Application server is installed is not a member of any Active Directory domain you can manually add LDAP targets which will be configured as Manual type LDAP targets This will enable the usage of Active Directory users however you cannot use groups from that domain Note that only one automatic LDAP target domain can exist at any given time Changes to the LDAP Targets are done through the Configuration gt LDAP Settings page Note The ObserveIT Web Console Server must be able to communicate through LDAP traffic with at least one of the domain controllers in the target Active Directory domain LDAP traffic uses TCP port 389 in most cases If a firewall exists between the ObserveIT Web Console Server and the domain controller you must configure the firewall to allow LDAP traffic to and from that domain controller For information on how to properly configure your firewall consult with your firewall vendor or user manual To configure an Active Directory Identification Target 1 Navigate to the Configuration gt Identification page 2 Inthe Active Directory Identification
76. has an internal auditing system Each time a video is accessed a log is created of the user name IP address the captured session and the frames that were viewed This log provides auditing of the administrators who accessed the Web Console and prevents the need for an external audit mechanism The audit trail cannot be deleted which means that each access to the Web Console will always be visible in the audit log Note You can also generate reports to provide summary information about user logins sessions and saved sessions in which console users were active For further details see Reports in the User Guide To view the audit log for the Web Console e Navigate to Configuration gt Audit The Audit page opens displaying the following four tabs Logins displays details about all successful and failed logins to the Web Console Sessions provides information about all the sessions which were replayed by the user Saved Sessions provides information about recorded ObservelT sessions that were saved for viewing offline Configuration Changes enables you to track configuration changes that were made while working in the Web Console By default this tab is disabled The topics in this section describe the audit log information that is displayed for each of these tabs 256 Copyright 2015 ObservelT All rights reserved Auditing Logins Auditing Access to the Web Console For auditing purposes ObservelT enables yo
77. hosts file e A Unix user attempting to change credentials to privileged user e Users browsing illegal Websites from work Example of an Alert Management Process 1 An ObservelT administrator defines a rule that will trigger an alert when suspicious activity occurs for example a suspicious command window or text appears in a command line or on the screen 2 An alert is triggered 3 ObservelT user administrator receives an email notification about the alert 4 Via a link in the email the user opens the alert in the Web Console s Activity Alerts page for further investigation 5 User can view the alert details in list full details or slideshow mode Users can also search for the alert by its ID 114 Copyright 2015 ObservelT All rights reserved 6 7 Activity Alerts User can click the Video icon ba next to the alert to launch the ObservelT Session Player which will replay all the slides of the session in which the alert occurred If required upon reviewing the slide s which triggered the alert user can navigate back to the alert in the Activity Alerts page and flag it for follow up Viewing and Managing Activity Alerts The following sections describe how to view and manage activity alerts and alert rules Managing Activity Alerts describes how to filter alerts according to specified criteria view alerts in different modes in the Web Console flag alerts for follow up print and export alerts delet
78. identify themselves with a secondary ObservelT log on prompt before they can access a Windows server desktop or a published application On Linux Unix Agents generic users with shared user accounts such as root or sysadmin will be prompted to enter their secondary credentials before they can open an interactive user session on an ObservelT monitored Linux Unix computer See the following topics e Windows Secondary Identification Login Example e Unix Linux Secondary Identification Example Windows Secondary Identification Login Example The following screen provides an example of the ObservelIT secondary authentication login screen that a Forced Identification user receives after configuring a Windows machine for secondary authentication Secondary Identification Login 5 7 1 0 oon fo l Authenticate as ObservelT user lobsdev administrator All activity on this machine is recorded and monitored To log in for secondary authentication e If the user is a local ObservelT identification user a Select the Authenticate as ObservelT user check box b Type a secondary user name and password c Click I Agree e If an Active Directory domain has been configured for the user a Type the domain and user name in the format domain username b Type the password c Click I Agree Copyright 2015 ObservelT All rights reserved 51 ObservelT Configuration Guide Unix Linux Secondary Identification Examp
79. is responsive To receive Agent health check reports it must be restarted Unrecorded Agent Recording High There are unrecorded Agent sessions sessions This occurs when a user ends the Agent process or disables interception in Unix To resolve this in Windows go to the Task Manager and restart the RCDCL process In Unix enable interception using the oitcons utility 168 Copyright 2015 ObservelT All rights reserved 1205 1206 1207 1208 1209 1210 Agent installation files were tampered with missing file Agent installation files were tampered with changed file Agent Registry keys were tampered with Agent Registry keys are now OK Agent installation files were restored Agent installation files were tampered with Category Tampering Tampering Tampering Tampering Tampering Tampering Copyright 2015 ObservelT All rights reserved System Events The ObservelT Agent Service has reported that installation files were tampered with Files may have been deleted or changed Check the problem and reinstall the Agent or replace the tampered file with the file version that was installed previously The ObservelT Agent Service has reported that installation files were tampered with Files may have been renamed and or contents changed Check the problem and reinstall the Agent or replace the tampered file with the file version that was installed previously
80. itself you can open the ticket number and view the ticket details as shown in the following example SErviCeENnOw 1T service M D L OJ 4 i a a El Welcome ObservelT UTEOREJ Observell a o A 9 Licences AAS Y RETRE MEER eon Self Servi yl f zz Number INC0010557 Opened 2012 11 21 03 14 18 Service Desk y Requested for James Farrer QHhwsts Category Incident X Incident le Location Contact type Ph X J Create New su Q type one L Assigned to me Configuration item PeopleSoft CRM Qa ths State New M Open 3 B Open Unassigned Impact 2 Medium Assignment group IT Securities Q Resoked Urgency 2 Medium 7O Assigned to Q Lo Closed Major Incidents 15 Priority 3 Moderate Time worked 00 00 00 00 00 00 D All a a Overview Short description Add New Entry to hosts file 9g amp Problem x Notes Related Records om Ee Project x Watch list 8 e Work notes list 8 SS Additional comments Customer visible amp fe Cnnfirurrstinn Se The lower part of the ticketing system window displays all the activity that occurred on the ticket including user comments You can see all the sessions that are associated with the ticket with links to the video of each session and other information that was included by ObservelT such as the server that was used date of session and so on Note You can click directly on the l
81. last alert generated with the same conditions If you select this option specify the number of minutes in the adjacent field box For example you might select this option if you do not want to be alerted every time the user browses an illegal Website but only at specific time intervals From the On drop down list select Windows and Unix or Windows or Unix depending on the required operating system Windows and Unix Specify the field to be tested by selecting an option from the drop down list Ran Application Application name Application full path Process name Window tithe Permission level Visited URL Site URL prefix Any part of URL Executed SQL Command Statement Executed Command Command name Full path Argument Switch Permissions Note The available field options depend on the selected operating system If you switch between operating system options all currently defined conditions will be deleted e When Windows and Unix is selected all the group and field options are available e When Windows is selected the following groups of options are available e Logged in e Ran Application e Visited URL e Executed SOL Command e When Unix is selected the following groups of options are available e Logged in e Executed Command Select the required operator for the condition from the drop down list for example is is not does not start with contains and so on Specify the value s against which to test
82. link 26 Copyright 2015 ObservelT All rights reserved Admin Dashboard The Servers list opens filtered to display the Agents that were updated to the latest software version or the Agents running earlier versions of the software You can expand the Agent to view more details including status details when not OK OS type and OS version Servers Group All Servers v Server Name Status All v El More Filters Server Policy All v Agent Type All v OS Type All v OS Version All v Version Latest version v Status Details All v Activities 1 2o0f2 Server Name Server Policy Version Status Installation Last Activity w2k8 S8 QA14 Default Windows based 5 8 0 0 OK 12 28 2014 12 28 2014 E W2K8 S8 QA11 A Default Windows based 5 8 0 0 OK 12 28 2014 12 28 2014 Unregister System Events OS Type Windows OS Version Windows Server 2008 R2 To view the number of Agents that were recently installed uninstalled and to drill down to further details 1 On the right of the Deployed Agent Versions portal view the number of Agents that were recently installed and uninstalled in the past 7 days The info bar at the top of the Admin Dashboard displays the time period which is not configurable 2 To drill down to examine Agent details click the Agents recently installed or Wa uninstalled links The Servers list opens filtered to display the Agents that were installed or uninstalled in the past 7 days You
83. list of recorded applications recording any variation to that URL as long as the base string exists in the URL If you also select Exact Match before clicking Add www google com will be added to the list of recorded applications and any variation of that URL will NOT be recorded Note To remove applications from the list select them and click the Remove button e To record metadata for all applications select the check box Record metadata for all applications regardless of whether they appear in the list Note that a video is recorded only for applications that appear in the list 5 To configure ObservelT to record only metadata for the applications accessed during a user s session select the Record metadata only option Note that when this option is selected no graphic information will ever be recorded 6 Click Save to save the changes Setting changes will take effect on new user sessions after the current sessions are closed Agent Logging and Debugging Note This feature is supported on Unix based server policies only This feature enhances Agent logging and debugging by enabling users to dynamically control the level of detailed logs at the policy level By default after ObservelT installation the Unix Linux Agent creates a directory named opt observeit agent run which is used to store the log files of all recorded sessions Unix Linux Agent logs are stored in the obit 1log file When the obit 1og file reaches its
84. logging Server Groups Server Policies Log data Security Each selected type of log data will be stored in its own folder in date order Alerts Windows and Unix Activity 3 cmyyyymmdd log System Events identity Theft Detection System Events Events Evyyyymmdd log Messages Activity Alerts Alerts Alyyyymmdd log Ticket integration Windows Activity T exyyyymmdd log License Unix Activity 1 unixyyyymmdd log SMTP Settings User Logins 2 exyyyymmdd log Monitor Log LDAP Settings Log files location Storage The Folder location displays the path to the current log files To change the location enter a new path and click Save Archive Folder location C Program Files Observel T NotificationService LogFiles 2 Saved Sessions System Log 3 Select the Enable ObservelT logging check box Note By default the monitoring of logs is disabled You cannot enable both ObservelT logging and SIEM logging simultaneously since this might cause serious performance issues 4 Inthe Log data section select the types of data you want to monitor e Windows and Unix Activity e Activity Alerts e Windows Activity e Unix Activity e User Logins 5 In the Folder location field accept the default location or specify a new path to the monitor log files 6 Click Save to save the settings After a few minutes the log files will be generated Each day new log files are created Note the following e Currently there is n
85. name if required To change the default LDAP field name for email notifications 1 2 In the LDAP Properties section of the Configuration gt LDAP Settings page enter the LDAP email field name as specified in your LDAP server Note that the default is mail LDAP Properties LDAP mail field name mail Update Click Update to save the new name Copyright 2015 ObservelT All rights reserved 223 ObservelT Configuration Guide Recording Metadata Information In addition to visually recording user actions on monitored servers ObservelT records important information about what is seen on the screen which applications are currently used what actions the user has performed the date and time of the action and more This information which is called metadata is stored in ObservelT s database which is located on a central SOL Server Because metadata is centrally stored and indexed it can be used to easily search throughout recorded sessions and provide a textual breakdown of each user session Although ObservelIT s main feature is its ability to visually record user sessions in some cases ObservelT administrators will configure ObservelT to record only metadata about specific applications that are accessed on specific servers While this will reduce the visual auditing experience for the user session this recorded metadata is a very important aspect of the auditing experience and capabilities Because this metadata
86. of a domain In this case you can add that domain to the list of LDAP Targets To add a domain to the list of LDAP Targets 1 Make sure that the server on which the ObserveIT Application server is installed is a member of a domain 2 Navigate to Configuration gt LDAP Settings 220 Copyright 2015 ObservelT All rights reserved LDAP Settings Configuration 3 Inthe Automatic LDAP Target section click the Detect Domain Membership button Automatic LDAP Target Note Clicking the Detect Domain Controller button will first detect whether the ObservelT Application Server belongs to an Active Directory domain lf true an automatic type LDAP path will be added to the LDAP list below Only automatic type Auto domains can be used for Active Directory Groups Detect Domain Membership Synchronize LDAP Groups If the Domain path and credentials are valid the connection will be added to the LDAP Target List The LDAP Target type will be set to Auto LDAP Targets List LDAP Path Domain Name UserName Alias Type Created Date LDAP DC OIT DEMO DC LOCAL OIT DEMO LOCAL Auto 4 4 2014 Delete Note The Detect Domain Membership button is grayed out and cannot be used again because the server can be a member of only one domain 4 Click the Synchronize LDAP Groups to update new group names in Active Directory This is only relevant if any Active Directory Groups names were changed in the ObservelT configuration for examp
87. opens Ticketing Policies Ticketing Systems New Ticket 7 Back to Ticketing Policies Ticketing System Custom Web Senice Ticket Details Window Title Message To User will be displayed upon login E Comments Mandatory Policy Type Always require a valid ticket number Require a valid ticket number but also allow on the fly creation of a new ticket Ticket number is optional System Logo File optional Browse Supported formats jpg png gif Max image dimensions 160 W x 40 H No Image Select Servers Servers OBS SRV4 A Add Server Groups All Servers X Add Name Type Version Status Date Remove 3 From the Ticketing system drop down list select the name of the ticketing system to which you want to assign this ticketing policy Note Ticketing systems can be built in or customized For further details see Configuring Ticketing Systems 4 Inthe Ticket Details section specify the following information a Window Title Define a title for the ticket which will appear in the Ticket Window upon user login for example Enter a valid ticket number b Message To User Enter the message text that will be displayed to the user in the Ticket Window c Optionally if you want to enforce the user to send a text reply to the ticket message select the Comments Mandatory check box d Policy Type Select one of the following options to define the required policy regarding the
88. path e Last Session Date Date of last screen capture Additional Screen Capture Data Storage Show all paths including empty or unavailable Path Location Status Size GB Slides Date added Added by Last Session Date CAFS Q13W8S8 1 Available 0 01 62 03 20 2014 Installer 03 23 2014 C FS2 Q13W8S8 1 Empty 0 00 0 03 23 2014 Admin N A Remove Copyright 2015 ObservelT All rights reserved Managing ObservelT Storage Note If the status of a file path entry is Empty you can remove it by clicking the Remove link next to it Viewing Servers Database Information In the Servers Stats tab of the Configuration gt Storage page you can view detailed information about sessions that were recorded on the SQL Servers in the database To view details about sessions that were recorded on the SQL Servers 1 Navigate to Configuration gt Storage 2 Click the Servers Stats tab to view a list of the servers that are recorded in the database Server Diary User Diary DBA Activity Activity Alerts Configuration Search Reports Threat Detection Admin Dashboard Console Users Identification Servers Server Groups Server Policies Security Alerts System Events Identity Theft Detection Messages Ticket Integration License SMTP Settings Monitor Log LDAP Settings Storage Database Server Screen Capture Data Servers stats Servers Database Information 1 10f1 Server Name Slides Sessions First Session Last S
89. path existing data will remain in the old location Following is an example of an ObservelT monitor log showing alerts activity data File Edit Format View Help Sess7 OnID ABE0554E ED58 4486 92FB 3FBLEE7DF4928 amp Di sp ayonAir false amp SSID 10D57 8BO A8ED 47CE 9860 19EE 38986945 lang en 2014 09 03T18 40 38 10000002 process name is wordpad Alert will be generated when someone will use wordpad Low Ran process wordpad http WIN QA2 4884 ObserveIT ActivityAlerts ActivityAlerts aspx keywor d 10000002 amp vi ewmode Full abe0554e ed58 4486 92fb 3fb1lee7df492 OIT LAURENT WIN QA2 tsta local administrator n a Document WordPad windows wordpad Application wordpad http WIN QA2 4884 ObserveIT Slideviewer aspx Sessi10nID ABE0554E ED58 4486 92FB 3FBLEE7DF492 amp Disp1ayonAir false amp SSID 7 8A5D3B8 EE01 42AD A7BB 893D6B301F001ang en 2014 09 03T18 31 15 10000001 windows title contains Alert 2 the alert will be generated when someone is opening any application that contains the word pad This is a high severity High Opened window Untitled Notepad http WwIN QA2 4884 ObserveIT ActivityAlerts ActivityAlerts aspx keywor d 10000001 vi ewmode Full abe0554e ed58 4486 92Fb 3fblee7df492 OIT LAURENT WIN QA2 tsta local administrator n a Untitled Notepad Notepad notepad http wIN QA2 4884 ObservelIT Slideviewer aspx Sessi0nID ABE0554E ED58 4486 92FB 3FBLEE7DF492 amp Disp 1 ayonAir false amp SSID AB02901B 5E1F 4719 891E
90. policy 80 Copyright 2015 ObservelT All rights reserved Configuring Server Policy Settings 2 Inthe System Policy section of the Server Policy Template page select the Enable Key Logging check box Server Policy Template Back to Server Policy Templates Linked Servers Cancel Save New Server Policy Template Name System Policy Enable recording Enable Identity Theft Detection Enable API Show tray icon Restrict to RDP Enable hotkeys 4 Enable key logging y Optimize screen capture data size J Enable recording notification All activity on this machine is recordi Default Set image format Grayscale Server Compression v Set session timeout minutes 15 v Set keyboard frequency Low v Set continuous recording seconds 2 OFF v 3 Click Save to save the changes Setting changes will take effect on new user sessions after the current sessions are closed Optimizing Screen Capture Data Size Note This feature is supported on Windows based server policies only To reduce the overall size of storage required for screenshot data ObservelT applies an advanced compression algorithm that optimizes the screen capture storage size The compression algorithm applies to all ObservelT screenshots whether they are stored in the SQL Server database or in the file system on a local hard drive of the ObserveIT Application Server or on a file share in the network This me
91. rights reserved Identification Services 5 Later if required you can configure either a Manual Server Policy or Server Policies to configure which server will be affected by the new Identification Policy For further details see Identification Policy Important To enable secondary authentication for ObservelIT users on Unix Linux Agents you must first enable secondary authentication for Unix Linux policies in the ObserveIT Web Console For further details see Enabling Secondary Authentication for Linux Unix Policies Enabling Secondary Identification for Linux Unix Policies In the ObserveIT Web Console you can configure the server policy settings that are required for user secondary identification on a Linux Unix Agent Before you can do this you must enable secondary authentication for Linux Unix policies in the Web Console To enable the secondary user authentication settings in the ObservelT Web Console 1 Locate the web config file of the ObserveIT Web Console located under C Program Files x86 ObservelIT Web ObservelT 2 Inthe web config file add the following line under the lt appSettings gt section lt add key EnabledUnixSecondaryAuth value true gt 3 Save the web config file 4 Log off and then log back on to the Web Console The settings for user secondary authentication are available for configuration on Linux Unix server policies For instructions on how to configure secondary identification poli
92. rights to the target domain You do NOT need to use the Administrator account or a user account that is a member of the Domain Admins group However if authentication fails you could try to use such an account in order to test your connection 3 Click Add amp Verify Manual LDAP Target Manual LDAP targets can be used to authenticate users for 2 purposes Console Users and Identification Services Type the correct LDAP path by using the following example LDAP Domain Controller Name or IP DC Domain Name DC Suffix for example if your Domain Controller name is OBS DC1 and your domain name is OBSERVEIT SYS LOCAL then use the following LDAP path LDAP OBS DC 1 DC OBSERVEIT SYS _DC LOCAL Note If no name resolution is possible you might need to enter the Domain Controller IP address instead LDAP Path LDAP WIN2003 DC DC OIT DEMO DC LOCAL Enter user credentials to verify the LDAP path User Name administrator Password Add th If the Domain path and credentials were valid the connection will be added to the LDAP Targets List and the LDAP Target type will be set to Manual Athentication Configuration Domain named OIT DEMO LOCAL successfully added Automatic LDAP Target Note Clicking on the Detect Domain Controller button will first detect if the ObservelT Application server belongs to an Active Directory domain If true an automatic type LDAP path will be added to the LDAP List belo
93. screen capture data size 7 Enable recording notification All activity on this machine is record Default Set image format Grayscale Server Compression v Set session timeout minutes 15 v Set keyboard frequency Low Y Set continuous recording seconds 2 OFF Y Copyright 2015 ObservelT All rights reserved 89 ObservelT Configuration Guide 3 To set continuous recording from the drop down list select the required interval in seconds during which time you want to continue recording even when no user activity occurs The following message is displayed r J ae Message from webpage S Continuous Recording mode is CPU intensive which might impact using it on Terminal Services or Citrix servers that host many concurrent Sessions Note that Continuous Recording mode is not available in Metadata only recording mode 4 Click OK to continue 5 Click Save in the Server Policy Template page to save your setting changes Note Setting changes will take effect on new user sessions after the current sessions are closed 90 Copyright 2015 ObservelT All rights reserved Configuring Server Policy Settings Data Recording Policy The following features enable you to configure a data recording policy which controls how much data is recorded during user sessions e Recording in Basic or Extended mode e Limiting Output Data Recording Note These features are supported on Unix based serv
94. server Click Update to save the settings Server Diary SMTP Settings Admin Dashboard Console Users SMTP Settings Identification a SMTP Server Server Groups Server Policies Mail From Security Alerts User Name System Events Password Identity Theft Detection Messages Ticket Integration License pi Email Address SMTP Settings Monitor Log User Diary This can be an internal SMTP server such as Exchange 2000 2003 2007 2010 an internal server running IIS and the SMTP service or your ISP s outgoing email server You can also configure a different port if required by the SMTP service provider When using your ISP s outgoing SMTP server make sure that you are using the correct user name and password When in doubt contact your ISP Reports Threat Detection DBA Activity Activity Alerts Eee TE Lie 192 168 100 1 support observeit com Update Delete Please enter a valid email address for the settings verification message A message will be displayed confirming that the settings were successfully applied 3 To verify the settings enter a valid email address in the Email Address text box and click Send Copyright 2015 ObservelT All rights reserved 211 ObservelT Configuration Guide Monitoring Log Files ObservelT creates textual log files for recording all activity as it happens on the monitored servers These log files which are stored on the server s hard disk contain impo
95. servers are the computers on which the ObservelT Agents are installed and which are being monitored and recorded In the Configuration gt Server Groups page you configure the ObservelT server groups Server Diary User Diary DBA Activity Activity Alerts Configuration Search Reports Threat Detection Server Groups Admin Dashboard Console Users Server Groups Identification Add Group Servers Server Groups Server Group Name Show in Dashboard ee All Servers 3 Server Policies Security Alerts System Events Identity Theft Detection Active Servers 2 Windows Servers 2 Unix Servers 1 Windows WorkStations 0 Windows Gateway 0 Messages Windows Activex 0 Ticket Integration T Note Server groups without attached servers will not be displayed on the dashboard i SMTP Settings The default server groups include e All Servers This group includes all the servers on which the ObservelIT Agent is installed e All Active Servers This group includes all servers that are installed with the ObservelT Agent but unlike the All Servers group it only includes servers that are currently configured to be active e All Windows Servers This group includes all the servers that are running any version of the Microsoft Windows operating system and that have the ObservelIT Agent installed on them e All Unix Servers This group includes all the servers that are running supported versions of the Unix Linux opera
96. settings For further details see Enabling Identity Theft Detection Overview of the Identity Theft Detection Process 1 The user logs in to a server from the desktop 2 If Identity Theft Detection is enabled the user receives an email notification about the login activity At the same time an event is triggered For further details see System Events Copyright 2015 ObservelT All rights reserved 185 ObservelT Configuration Guide 3 4 Note In order for a user to receive email notifications the user s email must be configured in the user s profile on the LDAP server For further details on defining the LDAP mail field name see LDAP Settings Configuration If the email notification indicates a suspicious login activity which was not initiated by the user a The user can click the first link in the email text that is If this activity was not initiated by you click here to create a high severity event which will appear in the Events list See System Events b An email is sent to the ObserveIT administrator reporting the suspicious login event If the email notification indicates login activity which was initiated by the user the user can either ignore the email or click the second link in the email text that is If you want to avoid receiving notifications when DomainName LoginName is logged in from clientName click here By clicking this link the user submits a pairing request to the administrator
97. specific application Other value examples regedit install names are listed setup in the Windows Task Manager Application Full path of the Use this option if you Ran Application Application full path full path application that want to configure an alert is C Program the user ran based on the explicit path Files OpenVPN bin openvpn exe to the application Process Name of the Use this option if you Ran Application Process name is name process that the want to configure an alert regedit WINWORD iexplore services ieee when the user runs a Note You must specify the process specific process name without the file extension for example regedit instead of regedit exe Title of a window Use this option if you e Ran Application Window title is that was opened __ want to configure an alert hosts txt Notepad by the user when a specific window Viewing Alerts docx Microsoft title is opened or when Word the title contains specific Ran Application Window title words that you are contains host permission security looking for Copyright 2015 ObservelT All rights reserved 147 ObservelT Configuration Guide Permission Logged in user s permissions level Use the is Admin permission level to check Ran Application Permission level is Admin that an application is run with elevated permissions Admin permissions Use the is not Admin permission level to check Ra
98. system limitations e For further details about the ObservelT archiving process see Managing the Archive Storage 252 Copyright 2015 ObservelT All rights reserved Backing Up the ObservelIT Databases Database Maintenance The ObservelT databases should be maintained on a regular basis and kept at a manageable size in order for the system to work properly and efficiently In addition to archiving database maintenance is performed by the Re indexing and Update Statistics processes Database re indexing reorganizes the data of the table s indexes to increase the performance of SQL Queries and overall performance of the database Indexes that are fragmented are not efficient and introduce additional resources on the system thus derogating the performance The Update Statistics process collects information about queries in the database and helps the Execution Planner in the database reach better results when selecting an Execution Plan for queries These two processes result in faster queries execution and faster data retrieval thus providing an overall increase in Database performance The following procedures are recommended to increase database overall performance e Rebuild Indexes Schedule smart index rebuild on a daily basis after the archiving process is completed e Statistics Update Schedule stats update with FULLSCAN on a daily basis For further details refer to the documentation and maintenance scripts describe
99. the Edit link next to it Edit Alert Notification Policy Policy name Hourly digest Email Recipients Email address micky observeit com Add micky observeit com Remove Email Frequency On every alert Digest email no more than once every 60 minutes Daily digest email at 08 00 00 2 Inthe Edit Alert Notification Policy dialog box edit any of the settings as described in steps 2 and 3 of the previous procedure 3 Click Save to save your settings The edited notification policy will be available for selection in the Activity Alert Rules page To delete a notification policy 1 Inthe Alert Notification Policies page click the Delete link next to the policy you want to delete A dialog box opens warning you about any alert rules that are currently using this policy Delete Notification Policy The 3 alert rules currently using this policy will be set to No Notifications Proceed Cancel 2 If you are sure that you want to continue click Delete The deleted notification policy will no longer be available for selection in the Activity Alert Rules page Editing and Duplicating Alert Rules This topic describes how to edit and or duplicate the content of an existing alert rule Note The procedures for editing and duplicating alert rules are identical To edit an existing alert rule 1 Inthe Alert Rules list in the Activity Alert Rules tab click the relevant alert rul
100. the causes and respond accordingly O Notfication Health Alert Rule Service Monitoring Engine Services that are OK normal active are marked by Services with errors are marked by 0 To drill down to events related to the system services 1 In the System Services portal click a service icon Notification Service XT Health Monitoring _ ai or Alert Rule Engine The System Events page opens displaying all the related system events that occurred on the particular system service The most recent event appears at the top of the list System Events Severity All v Server All v El More Filters Category All v Event Code All v Component Notification Service v Source All v Remediation Login All v ERE All v Client All v Email Sent All v Event ID Comment Status Details All v Period During last 1 Months v Between 12 30 2014 E and 01 07 2015 T 1 20f2 Received Code Category Name Server 1 6 2015 E 3 20PM 1306 Functionality Notification Service has stopped W12 S12 D02 Severity High Component Notification Service Source Notification Service Event Description The Notification Service has stopped Email Sent No Remediation Status New v Comment Add Comment 1 4 2015 10 25 AM 1305 Functionality Notification Service has started W12 S12 D02 2 Expand an event to view more details 28 Copyright 2015 ObservelT All rights reserved Admin Dashboard 3 Assess the problem and perform the r
101. the condition Note that you can enter multiple values separated by commas Multiple commas use the OR logic Repeat the above steps for each condition that you want to define When you have finished click Save to save your settings Copyright 2015 ObservelT All rights reserved Activity Alerts The following topics provide some scenarios which are designed to help you understand how to configure Did What conditions using the group and field options in the Create Alert Rule page e How to Configure the Ran Application Group Options e How to Configure the Visited URL Group Options e How to Define an Executed SOL Command Statement e How to Configure the Executed Command Group Options How to Configure the Ran Application Group Options This topic provides details and a typical scenario to help you understand how to configure the Did What field options in the Ran Application group Note These options apply to Windows operating systems only For general information about defining Did What conditions see Defining the Did What Conditions The Ran Application group includes the following options for configuring conditions Description When should I use this Condition Examples option Application Name of the Use this option if you Ran Application Application name is name application that want to configure an alert SSMS SQL Server Management the user ran when the user runs a Studio Note Application
102. the purpose of their connection the actions they intend to perform contact information ticket or support request numbers and more When Lock User s Desktop is configured for a message users will be unable to access their desktop until they acknowledge the message Copyright 2015 ObservelT All rights reserved Managing Messages Configuring Advanced Message Settings Servers Users Message Display Duration You can specify the servers on which to display the message the users who will receive the message and the message display duration To select the servers on which to display the message 1 Inthe Message Details section in the Message gt Create page click H to expand the Advanced section By default the message will be displayed on all the monitored servers You can change that by using the Select Servers section of the Advanced settings Select Servers Servers WIN2003 SRV1 ES Add Server Groups All Servers Y Add Name Type Version Status Date All Servers Group Remove 2 Inthe Select Servers section in the Servers field click eI to browse for specific servers on which you want to display the message 3 From the Server Groups drop down list select a group of servers to add to the list Note Unless you want the message to be displayed on all the monitored servers make sure you also remove the All Servers group from the list of servers To select the users who will receive the message
103. the report result To add or remove columns please go to step 1 4 Selected Columns Latest Sessions Server Name W2K8 S8 D02 Admini Server Version Top Recording Status pz Quick Help Sessions Count Server Last Activity Date Up Installation Guide Login Name ka Ujer Guis Slides Count User Name E Configuration Guide Session Video D i Domain Name Session End Date EJ Session Start Date Preview Cancel Save 10 Before saving the report you can click the Preview button to view the results of the report to make modifications to the filter as needed If required you can go back to the first step and modify your settings When finished click the Save button 11 Save the report by providing a name and if required a description Click Save and Finish Reports Reports 2 Generate Report New Report Latest Activities Installed Software Save Report Servers Software Install Uninstall Report Name All Remote Desktop Sessions in the past month Sticky Notes Report Description Lists all Remote Desktop Sessions in the past month Latest Sessions Save and Finish W2K8 S8 D02 Admini im Quick Help Installation Guide User Guide Configuration Guide 270 Copyright 2015 ObservelT All rights reserved Managing Reports 12 In the Reports list you can run the newly created report edit it copy it to create a new report with the same settings useful when you need to make a
104. themselves with the ObservelT Identification Services ObservelT allows you to create a connection between the ObservelT Application and Web Console server components and an external LDAP server such as a Microsoft based Active Directory Domain Controller This connection is an LDAP read only connection in which the ObservelT server components query the LDAP server for log on information This enables you to utilize the user accounts and in some cases group accounts from within the Active Directory domain to obtain access to the ObserveIT Web Console and provide users with the necessary credentials for the ObservelT Identification Services e If the server on which the ObservelT Application server is installed is a member of an Active Directory domain that Active Directory domain will be automatically added to the list of LDAP Targets and will be configured as an Automatic type LDAP Target This will enable the usage of Active Directory users and groups from all domains in the Active Directory forests that are connected to the current forest For further details see Automatic LDAP Targets Note ObservelT easily integrates with your Active Directory forest enabling you to use user and group objects from any domain in the forest in which the ObservelIT server side components are installed and in which the ObservelT Agents are deployed if different Cross forest trusts can also be used Although using groups from Active directory domains i
105. to the Application Server You may specify the file system path where the recorded data will be temporarily stored or you can store the data in the Default product path which is a folder under the directory of the installed ObservelT Agent On Unix based server policies you can also define limits for the size of the offline storage for each recorded machine and or each recorded session You can configure an offline recording policy manually per server Agent from the Configuration gt Servers page or by using Server Group Policies in order to configure many servers Agents simultaneously To enable offline mode recording using Server Policies 1 Inthe Configuration gt Server Policies page click Create or select a server policy template Windows based or Unix based policy 2 Ifthe server policy is Windows based in the Offline Policy section of the Server Policy Template page configure an offline policy as follows Offline Policy Enable Limit offline storage to 500 MB v a Select the Enable check box b In the Limit offline storage to field specify in MB GB the maximum volume of data that can be stored offline The default is 500 megabytes If the maximum volume of data is exceeded content will be overwritten from the beginning Copyright 2015 ObservelT All rights reserved 93 ObservelT Configuration Guide 3 Ifthe server policy is Unix based in the Offline Recording Policy section configure an offline
106. unlink a Server Policy froma server 1 Navigate to Configuration gt Servers 2 Inthe Servers list click the name of the server for which you want to unlink the Server Policy 3 At the top of the server s properties page click the unlink the policy link Server Diary User Diary DBA Activity Activity Alerts Configuration Search Threat Detection Servers Admin Dashboard Console Users W2K8 S8 D02 5 8 0 0 Identification Servers Back to Servers List Currently server is linked to the Default Windows based Policy configuration policy Server Groups In order to enable the Save button you must first unlink the policy aa Server Server Policies Security Server ID 1497b10c 4eeb 4512 9b82 4b4ca368770c Aat Server Name W2K8 S8 D02 Modify Name System Events Server Policy Template Default Windows based Policy Change Template identity Theft Detection App Server nttp 127 0 0 1 4884 ObservelTApplicationServer Messages Enable recording Ticket Integration Enable Identity Theft Detection anaes Enable API A message is displayed prompting you to acknowledge your action 4 Click OK to proceed 5 After unlinking the policy you can make changes to the server configuration When you have finished click Save The server mode changes to Manual as shown next to the relevant server in the Servers list Server Diary User Diary DBA Activity Activity Alerts EELE Reports Threat Detection Servers Admin Dashboard Cons
107. user session Server Diary User Diary DBA Activity Activity Alerts Configuration Threat Detection Activities Activities Activity View Applications inventory Server W2K8 S8 D02 E co Server statistics Printthis information Sofware Period Start Date End Date s Search t ast 1 Months O Jan v 6 2015 E Jan v 14 v 2015 E Messages Filter by login user All Latest Sessions 1 12 of 12 a ees Session Duration Login Server Client Slides Video Quick Help eens 11 06 AM 11 08AM Administrator n a W2K8 S8 D02 OIT DAVID 9 fs Installation Guide 10 31 AM 10 35AM Administrator n a W2K8 S8 D02 OIT DAVID 4 fs 9 46 AM 9 49 AM Administrator n a W2K8 S8 D02 OIT DAVID 1 ls C tion Guid a 9 16AM 9 17AM Administrator n a W2K8 S8 D02 OIT DAVID 2 ls 86 Copyright 2015 ObservelT All rights reserved By default all idle sessions time out at 15 minutes Configuring Server Policy Settings You can configure the session timeout manually per server Agent from the Configuration gt Servers page or by using Server Group Policies to configure many servers Agents simultaneously To configure the session timeout using Server Policies 1 Inthe Configuration gt Server Policies page click Create or select a server policy template default Windows based or Unix based policy 2 Inthe System Policy section of the Ser
108. which in effect says I do not want to receive emails when I connect from this client Please approve this user client pairing If the pairing request is approved by the administrator the user will no longer receive emails about activity for this specific user client pairing If the administrator rejects the pairing request the user will continue to receive email notifications about this user client activity In addition a new pairing request event is added to the Events table with a Not Approved status and a message is sent to the user confirming this Note If Identity Theft Detection is enabled and the ObservelT system fails to send an email notification to the user the email will be redirected to the administrator The following topics describe 186 Configuring Pairing Requests Configuring Identity Theft Settings Copyright 2015 ObservelT All rights reserved Identity Theft Detection Configuring Pairing Requests ObservelT keeps track of authorized user login IDs and their client machines by pairing the domain name login name of the user with the client computer from which the user logged in If a user logs in to a server from a client that is not paired to the user the user is notified by email that a suspicious login occurred using the user s credentials If the email notification indicates that the login was initiated by the user the user can ignore the email or submit a pairing request to the administrato
109. which you want to add a comment The System Event Comment dialog box opens where you can enter your comment Comment Add Comment l hn System Event Comment u Save Cancel 2 Click Save to save your comment The comment is displayed as a link in the Comment field in the expanded event details area You can click this link to edit the comment in the text box To search for events according to comments that were entered 1 Inthe Comment text box in the Filters area enter text related to the comment of the event s that you want to view 2 Click Show to show the events based on the specified comment text Defining the Remediation Status of Events In the System Events page you can define or edit the current remediation status of the events You can search for events according to their defined remediation status To define the status of an event e Inthe System Events list from the drop down list in the expanded details of the event whose remediation status you want to configure select one of the following options e New The event is new e In Process The event is currently being handled e Closed The event is no longer relevant To search for events according to the defined remediation status 1 From the Remediation Status drop down list in the Filters area select the remediation status of the events you want to view Options include e All to view events of any status e New amp In Process to view all New
110. write to file Application Server events are triggered from the Application Server for example The ObservelT Application Server has stopped working Web Console events are triggered from the Web Console for example Allocated storage space has reached its limit Services events are triggered by system services Database events are triggered by the database Health Monitoring events are triggered by the Health Monitoring Service Rule Engine events are triggered by the Rule Engine Service Remediation To search for events by remediation status select an option from the list Status New In Process currently being handled Closed All this includes only events that are New and In Process Email Sent To search for events for which an email notification was sent or not sent select Yes or No or select All to view all events To search for events by comment type the relevant text in the text box Period To search for events by time period specify a time period Last or a date range for your search Start Date and End Date 180 Copyright 2015 ObservelT All rights reserved System Events Adding Comments to Events In the System Events page you can add or edit a comment for an event if and when required You can search for events according to comments that were entered To add edit a comment for an event 1 Inthe System Events list click the Add Comment link in the expanded details of the event to
111. 0 0 Error 12 14 2014 12 14 2014 Messages Unregister System Events Ticket Integration Status Details Service Terminated License OS Type Windows SMTP Settings OS Version Windows Server 2008 R2 Monitor Log El w2K8 S8 0A11 O Default Windows based 5 8 0 0 Error 12 14 2014 12 14 2014 LDAP Settings Unregister System Events Storage Status Details Unrecorded Sessions Service Terminated OST i Pee ype Windows OS Version Windows Server 2008 R2 Saved Sessions For explanations of the icons and colored severity levels of system events and operational statuses see Colored Severity Levels and Icons For descriptions of the Agent statuses and details see Assessing Agent Statuses and Details Assessing Agent Statuses and Details The following table describes the ObserveIT Agent statuses and status details that appear through the Web Console in the Admin Dashboard in the Servers list in the System Events list To identify the causes go to the System Event list and resolve it Agent Status lt Status Status Details Details Possible Possible Reasons Triggers The Agent is Active functioning normally The Agent Service is up and running The Agent machine and service are accessible The Agent Service has stopped The Agent Service was killed by a command or Service Service Stopped Service Killed Terminated was terminated due to system causes however the machine is respon
112. 1304 Functionality f 10 41 AM 1301 Functionality 10 33 AM 1304 Functionality Add Comment Application Server is running Application Server is running 3 Expand an event to view more details Application Server is not working properly Application Server is not working properly W2K8 S8 QA11 v All v All v All v All v Ea Eal and 01 09 2015 Server W2K8 S8 QA11 W2K8 S8 QA11 W2K8 S8 0A11 W2K8 S8 QA11 4 Assess the problem and perform the required corrective action For example if the Application Server is not working properly then you need to restart the Internet Information Service IIS to restart the Application Server For further details about system events and event types and some possible causes and solutions see Viewing System Events and Event Types Copyright 2015 ObservelT All rights reserved 25 ObservelT Configuration Guide Assessing Application Server Statuses and Details The following table describes the ObserveIT Application Server statuses and status details that appear through the Web Console in the Admin Dashboard in the Servers list in the System Events list To identify the causes go to the System Events list and resolve as necessary Application Server Status Details Possible Reasons Triggers Load Balancer Status OK N A The Application Server is active functioning normally Error The Application Server is not working properly Unable to Save The
113. 2014 E and 07 24 2014 fl Ww Alert rule All y Alert ID asst Show 4 1 11 0f 11 _ Alert list 7 21 2014 C 03 05 PM Browsing SETTINGS pages C 01 27 PM Unix privileged deletion or C 01 27 PM Unix privileged deletion or C 12 35 PM Browsing SETTINGS pages 7 20 2014 C 12 17 PM Browsing SETTINGS pages C 12 17PM Browsing SETTINGS pages C 12 16 PM Browsing SETTINGS pages Browsing SETTINGS pages C 12 15 PM Browsing SETTINGS pages C 12 14PM Browsing SETTINGS pages C 12 15 PM l C 12 14 PM Screen capture amp details A Browsing SETTINGS pages T Dg Y E a s p Q w a m Z a ale ial Tis Se OBSERVEIT PM micky View rule details BZ Who Did What ane General Account Settings Google Chrome https www facebook com setting On which Computer OBSERVEIT PM C4 From which Client OIT MICKY 10 1 100 100 When Sunday 7 20 2014 12 16 PM Alert ID 10000004 2 Browse through the screenshots by clicking the Next D or Previous 4 buttons The alert details change accordingly Copyright 2015 ObservelT All rights reserved 123 ObservelT Configuration Guide 3 Click the Video ra icon to open the Session Player at the screen location where the alert was generated 4 Click the icon to maximize the screenshots view as shown in the following example v Browsing SETTINGS PM View rule details a
114. 4 enh W2K8 S8 QA11 Default Windows based 5 8 0 0 OK 12 23 2014 12 23 2014 License For each server the Servers list displays the following details e Server Name e Server Policy to which the server is linked e Version of the Agent software installed on the server e Status and colored severity bar indicate the event operational status and severity level Red High Error Orange Medium Unreachable Disabled Green Normal Active OK Blue Low Administrative Unregistered Uninstalled See also Colored Severity Levels and Icons in the Admin Dashboard section e Installation date of the Agent software e Last Activity date of the last activity that was reported by the Agent installed on the server You can expand a server to view more details The details vary per the server status The Status Details field appears only when the status is not OK OS Type and OS Version appear for many statuses For example the following figure displays Error status and Status Details displays Tampered With The colored severity bars indicate the event severity level for example Red High Server Name Server Policy Version Status Installation Last Activity E w2ks 2 A Default Windows based Po 5 8 0 0 Error 12 4 2014 12 4 2014 Unregister System Events Status Details Tampered With OS Type Windows OS Version Windows Server 2008 R2 You can drill down to examine the system events that occurred on the server in order t
115. 5 ObservelT All rights reserved 49 ObservelT Configuration Guide The new Local ObservelT users are displayed in the Local ObservelIT Identification Users section Local ObservelT Identification Users These are the Local ObservelT Targets against which the users will authenticate 1 30f3 User Name Update Date Delete bennyt 1 12 2015 Delete davidg 1 12 2015 Delete jamest 1 12 2015 Delete Note Local ObservelT users cannot be modified If you need to change the user s password or log on name you must first delete the user and re create it After configuring the users whenever a Forced Identification users logs on to a monitored server they will be able to use the user name and password credentials that were configured for this Local ObservelT Identification User for secondary authentication In addition the ObserveIT administrator or security auditor will be able to see exactly who used the Administrator s built in account by looking at the Server Diary User Diary Search or Reports page Session Duration Login User Server Client Slides Video 1 11 2015 2 58 PM 2 59 PM Administrator jamest WIN2003 OITSRV WIN2003 DC 49 yp 2 49 PM 3 00 PM Administrator danielp WIN2003 OlITSRV local 58 12 30 PM 12 42PM Administrator n a WIN2003 0OITSRV local 107 fa 12 30 PM 12 31PM Administrator n a WIN2003 0OITSRV local 1 fa 1 8 2015 2 05 PM 2 56 PM Administrator n a WIN2003 0OITSRV local 203 fa 2
116. 8 0 0 To drill down to examine Agents with data loss Status Installation Last Activity Error 12 2 2014 12 2 2014 Unregister System Events Error 12 1 2014 12 1 2014 e Inthe Agents portal click the Data Loss icon next to the relevant Agent group The Servers list opens filtered to display the Agent group members that have incurred data loss in the last week Each row displays the group member that incurred data loss marked by the o icon Copyright 2015 ObservelT All rights reserved 17 ObservelT Configuration Guide In the expanded details of the Agent group member the Status Details field displays Data Loss The colored severity bars indicate the event severity level for example Red High if the data loss occurred while the Agent was running If the data loss occurred while the Agent was offline due to a threshold error when the limit in MB was exceeded or lack of disk space the status is OK the status does not change to error Server Diary User Diary DBA Activity Activity Alerts Configuration Search Reports Threat Detection Servers Admin Dashboard Console Users Servers Identification Servers Group All Servers v Server Name Status All v Server Groups More Filters Server Policies Reset Show Security Alerts 1 3 0f3 System Events 3 E Server Name Server Policy Version Status Installation Last Activity Identity Theft Detection x E W2K8 58 QA14 AG Default Windows based 5 8
117. 8 QA11 Configuration Guide 2 52PM 1220 Tampering Process was killed and automatically restarted W2K8 S8 QA11 Copyright 2015 ObservelT All rights reserved 167 ObservelT Configuration Guide In the System Events page administrators can e View system events generated by the ObservelIT system and view related details including name severity and type e Filter the events displayed per specified criteria e Add comments to events e Define the remediation status of events e Configure email notification policies for events to determine who gets notified by email for which event types and at what frequency For descriptions of the event types and some possible causes and solutions see Event Types Event Types When an event is generated by the ObservelIT system the event name and details appear in the System Events list The following tables describe some of the event types organized per event source with some possible causes and solutions as relevant Agent Events Event Name Category Severity Description Agent Service has started Functionality Low The ObservelT Agent Service has reported that it has started Agent Service has stopped Functionality High The ObservelIT Agent Service has reported that it has stopped To receive Agent health check reports it must be restarted Agent Service was Functionality High The ObservelT Agent Service was terminated terminated due to system causes however the machine
118. 9 DBA Activity Activity Alerts Search Reports Threat Detection e Server Name Status Al Version Status 5 8 0 0 OK 8 0 153 OK Server Policy Default Windows based Default Unix based Policy Installation Last Activity 1 7 2015 1 7 2015 1 7 2015 1 7 2015 ee System Events A message is displayed prompting you to acknowledge your action 2 Click OK to proceed The Agent version is changed to Uninstalled and the status is changed to Disabled This frees up one license allowing you to use that license to install an Agent on a new machine 60 Copyright 2015 ObservelT All rights reserved Servers Unlinking a Server Policy from Servers By default all the servers are automatically configured by the Default Server Policy Template Any change to that Server Policy will affect all linked servers You can link a different Server Policy to individual servers or to server groups When you are making changes to the configuration of just one server you may want to manually change the settings on that particular server and not create a new Server Policy just for that purpose When doing so the Server Policy that was previously linked to that server will be unlinked and the server status will change to Manual When the server is linked to any Server Configuration Policy the Save button is disabled To enable the Save button you must first unlink the Server Configuration Policy from the server To
119. Activity Activity Alerts eE Reports Threat Detection Server Policies Admin Dashboard Console Users Default Windows based Policy Servers identification aaa Back to Server Policy Templates Add Servers from Group Server Groups 1 10f1 vm Server Name Version Status Date Ww2K8 S8 D02 5 8 0 0 Active 1 6 2015 Remove Server Policies 4 Inthe Servers List Add Servers to Group window select the check boxes next to the Servers you want to add to the list You can also use the Search box to find specific Servers 5 Click the Add Checked Servers button 6 Click OK to proceed The Server appears in the Policy Servers page To remove a Server from the list of linked servers e Inthe Policy Servers page click the Remove link next to the relevant Server name Server Diary User Diary DBA Activity Activity Alerts Configuration Search Reports Threat Detection Server Policies Admin Dashboard Console Users Default Windows based Policy Servers identification PESEE Back to Server Policy Templates Add Servers from Group Server Groups 1 10f1 Server Name Version Date Ww2k8 S8 D02 5 8 0 0 1 6 2015 Server Policies 70 Copyright 2015 ObservelT All rights reserved Server Policies Note Because you are unlinking a Server and not linking it to any other Server Policy Template the status of the unlinked Server will change to Manual Admin Dashboard Console Users Identification Servers Server G
120. After the correct password has been entered you can disable Session Replay Privacy protection or change the password 2 Clear the Enable Session Replay Privacy Protection check box 3 Enter and confirm the new password as required 4 Click Save Session Privacy Session Replay Privacy Protection Unlocked When Session Replay Privacy is enabled any attempt to replay a user session will require a password myn Session Replay Privacy Protection Enter Password aa max 14 characters Confirm Password hanananananened Save Copyright 2015 ObservelT All rights reserved 113 ObservelT Configuration Guide Activity Alerts Alerts also known as activity alerts are user defined notifications which are generated when suspicious login events or user activity occurs during a session Alert rules configured by ObservelT administrators define the conditions under which an alert will be triggered The Activity Alerts feature provides ObservelT with a proactive real time detection and defense mechanism This feature enables ObservelT administrators to configure fully customizable and flexible rules which define the conditions in which user actions will cause alerts to be generated Alerts are based on suspicious login events or user activities that occur during a session By highlighting suspicious user activity events in real time administrators and IT security personnel can respond quickly and effectively to any del
121. Application Server failed to save recorded Data data Deployed Agent Versions and Recently Installed Uninstalled Agents In the Deployed Agent Versions portal located at the top of the Admin Dashboard you can view the current Agent version number and how many Agents are running the latest software and earlier software versions This enables you to easily identify whether the upgrade was successful and what is the main software version that you are working with that most of the Agents are running which may help you determine whether you want to upgrade other Agents that are currently running earlier versions You can also view the number of Agents that were recently installed and uninstalled in the past 7 days From the Deployed Agent Versions portal you can drill down to examine further details about the Agents including operational statuses EE Latest version EE Earlier version be To view deployed Agent versions and to drill down to further details 1 On the left of the Deployed Agent Versions portal view the colored pie chart and the adjacent list which display the three digit version number of the current Agent version the number of Agents deployed with the latest software version and the number of Agents still running earlier versions not yet updated The Agent versions are color coded Current Dark Blue Previous Light Blue 2 To drill down to examine Agent details click the Latest version or Earlier version
122. BSERVEIT DEMO LOCAL Auto 2 Inthe Forced Identification Users section click the Create button 40 Copyright 2015 ObservelT All rights reserved Identification Services The Identification User Policy Templates window opens where you can specify whether to apply identification policies to a specific user or to all users Whenever the specified users log on to any of the servers that are linked to the selected policies they will be required to provide secondary authentication credentials F ee eer S ObservelT Identification User Policy Templates Windows Internet Explorer Identification User Policy Templates Please select All Users or enter Domain Name Login e g administrator or OBSERVEIT DanielP to enforce identification policy All Users Domain for all Login User OBSERVEIT SYS Apply to Server Policy Templates Click to select one or more Server Configuration Policies from the list below Anytime the above user will log on to any of the servers that are linked to the selected policies they will be required to provide secondary authentication credentials Note The Enforce login check box in the selected policies must be turned on in order to take effect Policy Name Enforce login is turned on F Default Windows based Policy Yes amp Default Metadata Only Policy Yes F Default Recording Disabled Policy W 4 Default Unix based Policy Apply to Server Policies Note Only servers that have
123. EE 221 Deleting LDAP Tare Ste carin wntants auieaeaes cop otlucaaeast A N E E EAA 223 Chaneine the Default LDAP Email Field Nife ieciunenctonesitenad e E E 225 Recording Metadata Inrormati oies iini a E N Wuuaeuansiueniees 224 Manac me Observel Foord Enora a E E A 226 Viewing Database Dorma Oneri a E E 227 Conheurne Screen Capture Data Storage sraao i a E E E 229 Viewing Servers Database InformaNonsecisieatis ana NE 233 PATENT OTA OM misss aT a R R oats amped 235 Scheduling anm Archive OW actrees sneasactira na A E NE 237 Manas ine tMEArCNIVE STOLA E Een a ENA E ET EAE TEE OET OE 244 RY stay iia bates REA Te NIVE L OO arra a E T T REA ATEREA TTNA N 250 Best Practices for Storage of Large Scale Deployments esseseeeeseseereesessersrrsresresrersersresresrereeeseesresresees 251 Backine Up the Observel r Datapases tis cssccsnteccsactedsnoueractesttcdcnalbeayensapvodanoiteaadauosavnihubnsstagvodanayhaadeeteiee 253 eV sO ada A saeco assensie dot A ae sat T AEE O salt aaautaandseata nea tata 254 NUCL Acess tO the Wel ONSOl Cesarini aa a 256 PRAT SE OCIS eira a a a E Zor Auditing SESSION Replays srescusGesistunncadarasevashsl ave tedsrGlauetunaunbalecauacstheusa A ia a 258 Auditing Saved SESSIONS meriin a e 259 Audinin Conigeurinon C Nanges sacs cet uence e E E E EA E E 260 Us AS HOK Y Sea E T A A O lesions O TNE 262 PMC Ve NOTES sitesi e O E T T E A senses 263 CONEXE SENSI VE OCAT assia a a a a a A essen 265 Manacino REPON Sesle Ta a
124. Enable Session Data Integrity Security Alerts App Server Name ID Image Security Installation Security Last Updated System Events W2K8 S8 D02 b 36813f efd3 4d47 be73 acd1278ba3ae On Off 1 11 2015 On this page you can make the following configuration changes e Rename Application Servers e Enable Image Security e Enable Installation Security Note Any modifications you make when configuring Application Server Image or Installation security can be viewed for auditing purposes in the Configuration Changes tab of the Web Console For further details see Auditing Configuration Changes General Security Best Practices Following are some best practice recommendations that you should consider e Ensure that the servers running ObserveIT components are physically secure If possible lock these computers in a secure room to which only authorized personnel have direct access e Ensure that administrative rights to the Windows operating system are given only to those users that currently need them as part of their job description and remove outdated users from administrative groups such as the default Administrators Domain Admins and Enterprise Admins groups e Change the default ObserveIT Admin password frequently and control access to that account e Strictly limit who is authorized to manage ObservelT and view recorded session e Enable Agent to Application Server traffic security e Enable Database encryption and digital signi
125. Event Name Severity Description 1302 Notification Service is OK Functionality Low The Notification Service is working properly 1303 Notification Service is not Functionality High The Notification Service is not working properly working properly Perhaps the service was terminated or was configured incorrectly When this occurs there will be no archives no event emails and no scheduled reports To resolve this restart the service go to Start gt Services 1305 Notification Service has Functionality Low The Notification Service has started started 1306 Notification Service has Functionality Low The Notification Service has stopped stopped Restart the service go to Start gt Services 1405 ArcSight file size reached Communicati Low File size reached 0 5 of the 0 5 on maximum size defined 1406 ArcSight file size reached Communicati Medium File size reached 0 75 of the 0 75 on maximum size defined 1407 ArcSight file size reached Communicati High File size reached 0 99 of the 0 99 on maximum size defined Copyright 2015 ObservelT All rights reserved 175 ObservelT Configuration Guide 1408 ArcSight file size past Communicati High File past the maximum size maximum on defined 1409 Monitor Log could not Communicati High You may not have sufficient create directory on permissions to create the directory 1410 Monitor Log could not Communicati High You may not hav
126. Forced Identification users which specifies which users and or user groups to include exclude from being recorded For further details see User Recording Policy Instead of using Server Policies you can add individual Servers or Agents that will enforce the identification of the selected users To do this in the server list in the Apply to Servers section of the Policy Templates for Identification User window select the check boxes next to the required server names Copyright 2015 ObservelT All rights reserved 7 8 9 Identification Services Note that this option has additional administrative overhead as you may need to manually add servers to the list To manually add a server to the list go to the Configuration gt Servers page select the required server name which is currently linked to a default policy template unlink the server from the server policy and click Save For further details see Servers The server will be included in the list of servers in the Apply to Servers section Apply to Server Policies Note Only servers that have manual configuration settings will be listed Note The Enforce login check box in the selected servers must be turned on in order to take effect Server Name Enforce login is turned on E 4 Manual c55 64 5 No El 4 Manual c58 32 11 Yes l I F Manual D008R26450L8 Yes E amp Manual D02003X862 Yes 3 If you want to define more users click the Add button in the I
127. From the Alert Rules page the tasks you can perform on activity alert rules include e Creating Alert Rules Create a new alert rule by clicking the Create New Alert Rule button to open the Create Alert Rule page where you can create the new alert rule e Editing and Duplicating Alert Rules Edit the rule by clicking the name of the relevant rule in the list to open the Edit Alert Rule page where you can edit the parameters currently defined for the selected alert rule Duplicate the alert rule by clicking the Duplicate link next to the relevant rule to open the Edit Alert Rule page with a new Alert Rule initialized to the exact content of the selected item named Copy of lt selected alert rule name gt and edit this duplicate rule as required e Deleting Alert Rules Delete an alert rule that is no longer required by clicking the Delete link next to the relevant rule in the list The select alert rule is deleted after confirmation Copyright 2015 ObservelT All rights reserved 137 ObservelT Configuration Guide Filtering Alert Rules In the Activity Alert Rules tab you can filter the alert rules displayed in the Alert Rules list per specified criteria To filter alert rules 1 From the Status drop down list select the status of the alert rules that you want to view Active 2 3 4 138 Inactive or select All to view both active and inactive rules Status All v Severity All v More Filters vn policy All v A
128. GS pages micky n a OBSERVEIT PM ra A Who OBSERVEIT PM micky View rule details Did What Opened window Manage Accounts On which Computer OBSERVEIT PM CJ From which Client OIT MICKY 10 1 100 100 When Sunday 7 20 2014 12 15 PM Alert ID 10000003 O amp 12 15 PM Browsing SETTINGS pages micky n a OBSERVEIT PM a A Who OBSERVEIT PM micky View rule details Did What Opened window Share and Storage Management On which Computer OBSERVEIT PM CJ From which Client OIT MICKY 10 1 100 100 When Sunday 7 20 2014 12 15 PM Alert ID 10000002 O amp 12 14 PM Browsing SETTINGS pages micky n a OBSERVEIT PM ra 2 Who OBSERVEIT PM micky View rule details Did What Opened windo Computer Management On which Computer OBSERVEIT PM J From which Client OIT MICKY 10 1 100 100 When Sunday 7 20 2014 12 14 PM Alert ID 10000001 O amp 12 14 PM Browsing SETTINGS pages micky n a OBSERVEIT PM ra A Who OBSERVEIT PM micky View rule details Did What Opened windo Program Manager On which Computer OBSERVEIT PM CJ From which Client OIT MICKY 10 1 100 100 When Sunday 7 20 2014 12 14 PM Alert ID 10000000 Copyright 2015 ObservelT All rights reserved 131 ObservelT Configuration Guide Viewing Alerts in the Session s Video While replaying a recorded session using the Session Player you can watch the session video for D alert s If any alerts occurred on the session an alert indication will
129. Historical Data Storage Locations section Managing the Active Screen Capture Archive Note The Active Screen Capture Archive section only appears in the Archive Storage Management page only if the file system is being used to archive the screen image data In the Active Screen Capture Archive section you can Low disk space notification Not Configured View detailed information about the current screen capture archive data storage Define a threshold that will trigger a system event if the specified archive file reaches its maximum allocated storage Define new file system locations in which to store archived screen capture data Active Screen Capture Archive screen capture data stored in File System File system location Criarchive D18 W355 2 Date range of included sessions OFM 9 2013 12 42 08 07 2013 08 32 Current screen capture storage 0 00 GB 0 screens New Screen Capture Archive Location The following information is displayed about the currently active screen capture archive data storage Screen capture data stored in File System File system location File system archive path local on server or network share Date range of included sessions First date and time to last date and time Current screen capture storage Size of storage for current screen capture session GB and number of screens Low disk space notification Not Configured threshold showing the maximum actual disk space alloc
130. IEM log integration including e Activating SIEM log integration and selecting the log data types e Specifying the log file location and log file name e Scheduling a log file cleanup Note By default SIEM log integration is disabled You cannot enable both ObservelT logging and SIEM logging simultaneously since this might cause serious performance issues To configure SIEM log integration 1 Navigate to Configuration gt Monitor Logs 2 Click the SIEM Log Integration tab Server Diary User Diary DBA Activity Activity Alerts Configuration Search Reports Threat Detection ObservelT Logs SIEM Log Integration Admin Dashboard Console Users SIEM Log Integration 7 Identification Activate SIEM log integration ee Servers W Enable export to ArcSight format Server Groups Server Policies Log data Security All selected types of log data will be stored in the same file Alerts Windows and Unix Activity System Events 7 Activity Alerts Identity Theft Detection DBA Activity Messages Ticket Integration System Events License SMTP Selings Log file properties The Folder location displays the path to the current log files To change the location enter a new path and click Save Folder location C Program Files x86 Observel T NotificationService LogFiles ArcSight LDAP Settings File name OIT_CEF log Storage Archive Log file cleanup Saved Sessions
131. M Windows Help and S 12 15 55 PM Manage Accounts 12 15 59 PM ObservelT Login Pa 12 16 03 PM localhost 4884 0bs 12 16 13 PM ObservelT Login Pa 12 16 18 PM Welcome to Facebo 12 16 26 PM Facebook Google C 12 16 45 PM Browsing SETTINGS pages 1 Visited URL 52 PM V 08 PM General Account Settings Google Chrome 1 5 12 16 52 PM 37 57 f lam QQOQ CO dt In the Alert Details Panel you can view a summary of the alert activity including alert name observe it severity conditions and the number of alerts in the session in the upper right corner for example 1 1 in the above example a Click the Bell icon in the lower right part of the screen to toggle between showing or hiding the alert details as required On the replay timeline bar you can view alert indication icons and hover over an alert icon to view the alert rule name In the User Activities List on the right you can view alert indications on the suspicious activities Copyright 2015 ObservelT All rights reserved Activity Alerts Searching for Sessions by Alert ID In the Search page you can search for sessions by alert ID When viewing alerts in Details mode see Viewing Alert Details Who Did What you can open the Search page filtered to display a session according to a particular alert ID The Search page enables you view other information about the session that is not available in the Activ
132. M will be affected Current DB time is 1 26 2014 4 18 51 PM sessions to Archive 36 Screenshots to Archive 4616 schedule created on 126 014 4 18 PM Note If you selected an archive job schedule of Run Once after the job runs the status reverts to Disabled Copyright 2015 ObservelT All rights reserved 243 ObservelT Configuration Guide Managing the Archive Storage You can manage the archive storage from the Storage Management tab of the Configuration gt Archive page In the Archive Storage Management page you can e Manage the currently active archive database e Manage the currently active screen capture archive if the file system is used to store the screen image data e View previous data storage archive locations Note The contents of the Storage Management tab differ depending on whether the SQL Server or the file system is being used for the archive screen capture data The following screenshot includes the Active Screen Capture Archive section which appears when the file system is used if the SQL Server is used for archiving both the metadata and screen capture data this section will not appear Archive Storage Management 244 Schedule Active Archive Database Archive data stored in Database server Database name Database path Date range of included sessions Size of archive database Low DB space notification Add New Archive Database Active Screen Capture Archive Screen capture d
133. N2003 SRV1 11 04 2009 n a Administrator n a WIN2003 SRV2 11 04 2009 n a Administrator n a WIN2003 SRV1 11 02 2009 n a Administrator n a WIN2003 SRV1 11 02 2009 Clicking the thumbnail image launches the Session Player in which you can view the recorded session Note To view the recorded sessions you must log in to the ObservelT Web Console Copyright 2015 ObservelT All rights reserved 265 ObservelT Configuration Guide Managing Reports ObservelT provides two groups of predefined reports e Custom reports Sample reports which you can run schedule copy edit and delete You can also manually create new custom reports from these sample reports e System reports Built in reports which you can run schedule and copy but you cannot edit or delete In the Reports page of the Web Console you can e Create custom reports e Run reports e Schedule reports e Edit reports e Delete reports For further information see the Reports section in the User Guide Creating Custom Reports You can create reports depending on your needs These reports can be reviewed edited copied and deleted Copying a custom report is useful when a report needs to be edited and you do not want to save these changes to the original report or when the original report is used as a basis for other custom reports by using the same initial configuration and parameters To create a custom report 1 Inthe Web Console click the Reports tab The
134. O R a N a AA 266 Creatine COU SLO TTI CIO ONES cara a E SA A Pout emesis asset as 266 Rinmin KEPO US re tases tanene Goad N a are hseastua pata deasestt ei 271 Scheduline RGN ES ayaa aig oe ako outa te snkats clei se cna hai ales ts inbatge da sale Senda Node taanalie daca nseuneee 275 Editing IR POM ES sges 5 fale asso casa sha calves satus a salen ohGartads aa ee anes as Seana echuiade isan ates 275 SIC tS Repor crenn a A 277 Copyright 2015 ObservelT All rights reserved V ObservelT Configuration Guide Configuration Guide After you have completed the installation process for ObservelT you will need to configure the application as required by your design criteria and operational needs This configuration guide describes all the configuration tasks that should be typically performed by an ObservelT Administrator For ObservelT usage guidelines refer to the User Guide Most configuration tasks are performed via the Configuration tab in the Web Console However some additional configuration tasks need to be done using various system tools and operating system settings Copyright 2015 ObservelT All rights reserved 7 ObservelT Configuration Guide Admin Dashboard The Admin Dashboard provides at a glance graphical summaries of the operational statuses of installed ObserveIT Agents and infrastructure Application Servers and so on and easy navigation to drill down and perform root cause analysis and corrective action Operati
135. ObservelT Configuration Guide Version 5 8 observe ft people audit Copyright c 2015 ObservelT Ltd Contents Configuration Guide 7 Admi ASIN O ANC serais idx Su ceatasents a a a et dads sisledn tid saGuiatnewuctaias 8 Walkthrough PWo Steps to Agent Health cay cers bidestistieiuceinlasatemanicntess bacsstiteelaediielacsamesermsecsboracdvdicdundints 10 Min Admin Dashboard sinscctac iictesyretebisyiedeteuieds bidastucaat a t a aa 13 Colored Severity Levels ind ICONS esana a a A TE T E AE E 14 AOO S a TE E E TE E T T E A ETEN 15 PAP UICATON SCLVClS scat aa E a aa A 24 Deployed Agent Versions and Recently Installed Uninstalled Agents sesesesseeeeeeerrerserrersesrese 26 NOED VLCC als E a E a a a 28 Refreshine the Adin Dashboard serierne sd leatis hoes esuucoe ese cesuaduheass antes 29 Conso lE TI SEIS aa et ws A N N a 30 Creating Local or Active Directory based Console Users eeeessesseseesereersreerersersrrsrreresrersersresresreses 31 Creating and Managing Local Console UsersS seeeseeseeeseseesessersrrsrrsresrersersresresressrrsresresrererssresresreses 32 Creatine Active Directory Console Groups rinsoikeeren ennakon a a woua sensors nalePeosdeds 34 Assigning Console User Permissions to View Recordings esesesseseesessereresresrerrersresresrerreesresresressese 34 identi Gallons Ser VI CCS arannana i E OE T EA E 37 Viewing Forced Identification Users in the Web Console essesssseseesserserserssrsresresresresrssesresresr
136. Only setting to change the way the ObservelT Server records applications By using this setting the ObservelT Server will only record metadata for the applications accessed during a user s session No eraphic information will ever be recorded After making the necessary configuration changes you will be able to replay and view the graphical recorded data for those applications but will only have textual metadata information about any other application that was accessed on that server These applications will be clearly identified by the Mmj icon in the Activities View of the Server Diary or User Diary When viewing the recording only the recorded applications will be visible Copyright 2015 ObservelT All rights reserved 225 ObservelT Configuration Guide Managing ObservelT Storage ObservelT stores captured data and configuration settings inside Microsoft SQL Server databases Storage includes configuration data textual audit metadata and the actual screenshots for video replay captured by the ObservelIT Agents During installation the ObserveIT Database Server creates the following databases on the SQL Server e ObservelT e ObservelT Data e ObservelIT_Archive_1 e ObserveIT_Archive_template By default the ObservelIT screenshots are stored in the SQL Server ObservelT_Data database However if required screen images data can be stored in the file system instead of the SQL database The file system storage method is most
137. P Settings Monitor Log LDAP Settings Storage Archive Saved Sessions Audit In the Saved Sessions tab you can filter the display by searching for sessions according to Console User name Operator date Up To and Action Type All Download Delete The following information is displayed for each audit entry e Click to open the session details for an entry e Session Name The name of the saved session You can click the icon next to Session Name to see the window title name of the slides e Requested Slides When a recorded session is saved users can specify the slides that they want to include the entire recording specific slides or a range of slides Full means that all slides in the session were saved e Action Time The date and time that the session was saved e Server The name of the server on which the session was saved e Domain Name The domain name if the Console User is configured with an external Active Directory or LDAP domain e User Name The Console User that accessed the Web Console e Total Slides The actual number of slides in the saved session e Action Type The audit action that was detected Options are e Download The user downloaded the saved session Copyright 2015 ObservelT All rights reserved 259 ObservelT Configuration Guide e Delete The user deleted the saved session Video Hl icon Click to replay the session When Session Replay Privacy Protection is enabled a
138. P Settings C 1 7120142 23PM_ 00 00 00 1 7 2014 1 8 2014 Admin ObservelT_Archive_1 Archive mnm X 1 7120142 19PM_ 00 00 00 1 7 2014 1 9 2014 Admin ObservelT_Archive_1 Archive Archive M 1 7120141 52PM_ 00 00 00 1 7 2014 1 8 2014 Admin ObservelT_Archive_1 Archive Saved Sessions Wf 117 20141 12 PM _ 00 00 22 1 7 2014 1 8 2014 Admin 2 152 ObservelT_Archive_1 Archive Audit wf 115120141052 AM 00 00 06 1 1 2014 1 2 2014 Admin 6 81 ObservelT_Archive_1 Archive System Log A 11512014 10 24AM 00 01 01 1 2 2014 1 3 2014 Admin 34 1019 ObservelT_Archive_1 Archive Quick Help wf 12 30 2013 3 24PM 00 00 09 aod Admin 2 58 ObservelT_Archive_1 Archive Installation Guide WP 12 11 2013 3 17 PM 00 00 10 12 1 2013 12 2 2013 Admin 7 229 ObservelT_Archive_1 Archive oe X 12 11 2013 2 20PM 00 00 00 12 1 2013 12 2 2013 Admin ObservelT_Archive_1 Archive Configuration Guide i X 12 11 2013 2 17 PM 00 00 00 12 1 2013 12 2 2013 Admin ObservelT_Archive_1 Archive X 12 11 2013 1 56 PM 00 00 00 ie Admin ObservelT_Archive_1 Archive of 12 11 2013 1 49 PM 00 00 14 pcr Admin 3 129 ObservelT_Archive_1 Archive Best Practices for Storage of Large Scale Deployments Best Practices for Storage of Large Scale Deployments ObservelT can support large enterprise implementations comprising thousands of monitored users This topic provides important information about how to configure the ObservelT database for large scale deployments The following sections describe how to optimize storag
139. Policy Templates list click the Server Policy Template name The relevant Server Policy Template properties page opens 68 Copyright 2015 ObservelT All rights reserved Server Policies 3 Edit the fields as required For further details see Configuring Server Policy Settings 4 Click Save to save your changes to the Server Policy Note Each Server polls its Application Server at the beginning of each new session or every 15 minutes to check for new configuration settings To expedite the changes you have made to the linked Server Policies Template ask the user that is currently logged on to that computer to log off and log on Deleting Server Policies Note Before deleting a Server Policy look at the servers count in the View column of the Server Policies Templates window If the count is 0 zero this means that no server is linked to this policy However if the servers count is higher than zero all servers that are linked to the Server Policy you are about to delete will no longer be linked to it and their status will turn to Manual You can view the linked servers by clicking the Servers link To delete a Server Policy 1 Navigate to Configuration gt Server Policies 2 Inthe Server Policy Templates list click the Delete link next to the Server Policy that you want to delete Note The default policies cannot be deleted Server Diary User Diary DBA Activity Activity Alerts Configuration Search Reports Thr
140. Reports page opens displaying the Report List Reports Reports Latest Activities Report List Installed Software Scheduled Reports for Console User Go Server s Software Create New Custom Report install Uninstall m Sticky Notes Name Description Modi ed User Custom Reports Latest Sessions i i F S Audit logins Logins to the Web console during 7 3 2013 Admin Run Cached Schedule Copy Edit Delete MF W8 SQ8 1 Admini the last month f F 5 Audit Saved Sessions Recorded sessions that were 7 3 2013 Admin Run Cached Schedule Copy Edit Delete Quick Help exported during the last year installation Guide F S Audit Sessions a sessions during last 7 3 2013 Admin Run Cached Schedule Copy Edit Delete Usage Guide F SAMPLE Admin related Administrative related tasks performed 2 15 2013 admin Run Cached Schedule Copy Edit Delete Configuration Guide tasks Past Week on monitored servers F SAMPLE Apps usage All apps used on monitored servers 2 15 2013 admin Run Cached Schedule Copy Edit Delete grouped by Server Name Grouped by Server Name Past Week F SAMPLE Apps usage per Reportall apps used on the monitored 2 15 2013 admin Run Cached Schedule Copy Edit Delete Server grouped by App servers Grouped by App Name Name Past Week F SAMPLE Remote Desktop All Remote Desktop sessions initiated 2 15 2010 admin Run Cached Schedule Copy Edit Delete Sessions Past Week from monitored servers Grouped by Window Title and Server Name F
141. Results 1 1 of 1 1 System Events E Received Client Domain Login Expiration identity Theft Detection E 2 8 2012 1 46 PM OITYA Q1 W08 64SQ8 2 Administrator Never Messages Approve Reject Ticket Integration Approved User Client Pairs SMTP Settings Domain Login Client Monitor Log Results 1 6 of 6 1 LDAP Settings Storage Domain Login Client Expiration Delete Archive OITWEB michelle OITWEB 5 6 2012 Delete Saved Sessions OIT RINA rina OIT WEB Never Delete Audit obsdev local Administrator OITYI Never Delete System Log OITWEBA tom OIT2003DEV3 4 7 2012 Delete OIT RINA tom client 4 7 2012 Delete Latest Sessi eee OIT RINA rina client 41712012 Delete Copyright 2015 ObservelT All rights reserved 187 ObservelT Configuration Guide 3 Inthe Add User Client Pair section click Add Add User Client Pair Add Domain Name Login Name Client Name Expiration Date Mever i 4 Mandatory Specify the following information about the new pairing request e Domain Name The domain name of the user e Login Name The login name of the user e Client Name The client computer to which the user is allowed to log in e Expiration Date The date after which the approved pairing request will no longer be valid Options are 3 months 1 year 3 years or Never 5 Click Save The new user client pairing request is added to the Approved User Client Pairs list Note You can filter the Approved User Client Pairs list in order to retriev
142. Server Policy Template page select the required recording mode Basic or Extended Server Policy Template Back to Server Policy Templates Linked Servers Cancel Save Name Default Unix based Policy System Policy Enable recording 4 Enable Identity Theft Detection Enable recording notification Def Set session timeout minutes 15 v Data Recording Policy Basic record commands and terminal output Bended record commands terminal output and system functions Stop recording session output beyond 1000 KB v until new user input is detected Stop recording command output beyond 500 KB until anew command or user input is detected Copyright 2015 ObservelT All rights reserved 91 ObservelT Configuration Guide 3 If you selected Extended mode select the specific functions that you want to record as shown below By default they are all selected m Data Recording Policy Basic record commands and terminal output Extended record commands terminal output and system functions File opened for read File created or opened for write File renamed File deleted File permissions changed Child process or shell created Process killed Stop recording session output beyond 1000 KB v until new user input is detected Stop recording command output beyond 500 KB until anew command or user input is detected 4 Click Save to sa
143. T E ya aeates 96 Pp plication GCOr ie T ONC aeran E AE ETENEE ETOO 98 A ent Logone dnd Depite iNe esrara ann a r RAE AEREE A TE 100 Menier Monat CI CI resnie na E E A a tt aace thelial aan eet 101 Tapene e A I a E Ter N A E OCR re 103 kejamine API CAH Ol SCEVCUS aarun ia E A A E atrredcustaebaceaenuss 104 Epa lines Mape Secun y ea a a a e Macdencetnnd Guduoetenistees 105 Enfablinie Installation Secur y eke a a e a E a sqaeaetetens 109 Enabling Session Replay Privacy lt csxsoststecavsdeisauhtadscGiscatanmustarsasvasbisawsedaravealutynncsbarasavattsheave ia 111 A CUVA LET Snoha e a a a ded sea a a e A NA 114 Manacine ACUI ATENO oriee i E A E E T E E A T 116 Viewing Alert Indications inthe Web Console secziiiniire i aari aE A A 130 IND aI Ale RUC eS clase EA T E EE E E A ET 134 initeerabine Alerts IT ENTOT i a E E 166 DY SUOMI EVON IS on e e A N a nara ars east bapa eas ean ates 167 IV UNE YPE aia Sere at ree a ao ts alta E eas Sete ea paca 168 VIEW SECU VOTES seraa a E ut asada untae taste tenes aasee ane 177 Piltermne EV INS stadia seitosgcesae anc atone as a gaan ad aad kaselns a eaae ata oud sa cnta ede ase ee 179 Addins Comments to Even Sesinin aean owns coueaynsd N oven wemnasahiares eau ade avesenssntess 181 Defining the Remediation Status of Events sssecsiuvaticsasscadstevacsgs casebans iesateai wos ovadedevevees suenetesubedseesshsedee 181 Conficurine Emiarl Notification Settings fOr Events rerun siiskecsr iestiga a ae aa a 182 Identity Thern D
144. T metadata for Windows and Unix Linux operating systems On Windows you can search for users who logged in ran a specific application viewed a specific window s title visited a URL or executed an SQL command containing keywords for example a table name On Unix Linux you can search for users who logged in executed a specific command based on command name full path arguments command switches or acted under a different user s permissions Numerous options are available to help you configure the exact conditions that must be met in order for the alert rule to be active Example scenarios are provided in subsequent topics to help you understand how to configure Did What conditions using the group and field options in the Create Alert Rule page Note You can use the Logged in option to generate an alert when a user logs in to either a Windows or Unix Linux computer It is the default activity that appears when creating a new alert rule and it cannot be combined with any other Did What activity Without specifying some additional criteria related to this activity countless alerts will be generated in fact every time someone logs in to any monitored computer Therefore it is important to specify particular users servers days times and so forth so that you receive only relevant alerts The following procedure describes the steps required for defining the Did What conditions how to define the frequency of alert generation an
145. Targets section click the Create button Local Observe Identification Users These are the Local ObservelT Targets against which the users will authenticate Create UW User Name Update Date Delete The LDAP Settings page opens 3 Configure an automatic or manual LDAP target For details see LDAP Settings Configuration 4 Specify the Domain User Name and Password that will be used to access the domain which will be used as the Active Directory Identification target After the LDAP connection is established the domain against which the users will be authenticated appears in the Active Directory Identification Targets section of the Configuration gt Identification page Copyright 2015 ObservelT All rights reserved 45 ObservelT Configuration Guide Configuring Active Directory Groups By integrating ObservelT with Active Directory you can configure Identification Services so that no user can pass the ObservelT Identification screen unless they are members of a specific Active Directory group In this way you can prevent users who are not members of a predefined Active directory group from gaining access to the Windows desktop and logging on to the monitored servers Note Using Active Directory groups is only possible if the LDAP target is an Automatic type LDAP Target For further details see Configuring Active Directory Identification Targets By default all Active Directory groups can authent
146. VS aan a e a a a 67 Modityine Server POMCICS 15 s cs serietictatnaadlonteaantahen a E 68 Deleting Server POW CIS restesse e a a a a 69 Linking Servers tO Server POMCES ricini ta a o e a at 69 Linking Server Groups to Server PONC Smain E E N A N AA 72 Con Surine Server POMC Sets essere atte tnsecod S A ced uetecceanentaceas 74 Enabling Acent RECODO arieni eao a a E O 75 Enabling ddetia ty Thet Detector massa sue aluiconces aces alae osciesioaausaetiesti edad 75 Copyright 2015 ObservelT All rights reserved iii Contents iV FERDINICA TENEAN era E E O E O 76 Showin Hidine the Accent ray COM ieassnncessetascnencsnnsessnansesensbenseanistasesessanniuesiovaiiesnadiantaosneanesaesenrsebanweiss 77 Restricting Recording to RDP SesSl nSenornasis narinari a A A a 78 Enabline HotKey Saes o ar aE E EEEN E EEN E EE EEE EA 79 Preble Key 1G Sinn 6 coreani an ENEE EENET E E TEE 80 Optiniizine Screen Capre Data SIZ 6 eiiiai Ee r EES N aN EANA 81 Enabline Recordine INO MM CAt OR eee a e A E E A dames cuaausies 82 Recording 1 Color OF Grayscale cenai en vers RE EA A EE 84 Sene DESSI OL TIME O e aa seas N 86 peno Key poard Recordin Freg cne yacon e EE A EA 88 Sette Continuous RECOGIDO oisin N EA 89 Data Recorde TONOV aana E aus cbuteeiea een snited eins 91 oine Recorditie PONCY cacsausseiesstassces aia esairaaneau alee N 93 ldentncaton POC grernen Tree Tree em Trey eter Tree a yee ve renee emer Tm rey Ser rte ree rrr 94 User Recorde PGi Cy omscerri O
147. ails Did What Execut root and other than own tm rm On which Computer oit om linux LJ From which Client localhost When Monday 7 21 2014 1 27 PM et 10000009 Copyright 2015 ObservelT All rights reserved 121 ObservelT Configuration Guide 2 In Details mode you can view the details of the conditions that contributed to the generation of the alert as described in the following table Who is the user on which the alert will be generated Did What What actions did the user do For example you can see which URLs the user visited which applications they ran and so on On Which Name of the computer on which the action occurred Computer From Which Name of the client domain name or client IP address Client What day date time did the action occur In case of a delay between the alert generation and the time of reporting it such as Agent offline communication issues and so on the date and time of the alert reflects the time it was generated regardless of the delay Click the View rule details link to view alert rule details as described in the procedure below ID number of the alert Click the Alert ID link to open the Search tab showing the session that contains the alert For further details see Searching for Sessions by Alert ID From the Details mode you can view the alert rule details To view alert rule details e Click the View rule details link A popup window opens displayi
148. aily digest email at a fixed time every day for example 8 00 a m An email is sent at the designated time every 24 hours even if no system events occurred within the prior 24 hours If no events occurred the subject remains the same showing 0 events and the body will contain only No system events generated in the past 24 hours 7 Click Save to save the settings When the selected events occur email notifications will be sent to the specified email addresses according to the configured email frequency Copyright 2015 ObservelT All rights reserved 183 ObservelT Configuration Guide The following is a sample email notification that users might receive when a system event is triggered ToS joe itsecurity com E GE Send Bcc Subject System Event Digest 3793 events during the past 20 minutes System Event Summary High severity Events 1296 Unrecorded Agent sessions 767 Agent service stopped 70 Agent service was terminated 9 Agent installation failed Medium severity Events 530 Agent registration was successful System Event Details 10 of 3793 shown here view all High severity Events 10 of 2192 shown here Agent service stopped Event ID 1 Received Time Monday 10 6 2014 3 22 PM Severity High Event Code 1202 Event Name Agent Service has stopped Event Description The ObservelT Agent Service has reported that it has stopped Server OIT LILI Component Agent Source Agent
149. al server see Configuring Server Settings e Any modifications you make in a server policy can be viewed for auditing purposes in the Configuration Changes tab of the Web Console For further details see Auditing Configuration Changes The following topics in this section describe how to configure the Server Policy settings e Enabling Agent Recording e Enabling Identity Theft Detection e Enabling Agent API e Showing Hiding the Agent Tray Icon e Restricting Recording to RDP Sessions e Enabling Hotkeys e Enabling Key Logging e Optimizing Screen Capture Data Size e Enabling Recording Notification e Recording in Color or Grayscale e Setting Session Timeout e Setting Keyboard Recording Frequency e Setting Continuous Recording e Data Recording Policy e Offline Recording Policy e Identification Policy e User Recording Policy e Application Recording Policy e Agent Logging and Debugging e Memory Management 74 Copyright 2015 ObservelT All rights reserved Configuring Server Policy Settings Enabling Agent Recording Note This feature is supported on Windows based and Unix based server policies By default as soon as the ObservelT Agent is installed and the user logs on to the monitored machine all user actions start to be recorded However if required you can temporarily disable recording without uninstalling the Agent software You can control the recording status of the ObserveIT Agent manually per server Ag
150. all authorized and unauthorized login and pairing request events For further details see System Events For example if a hacker steals the credentials of a user and logs in from a remote machine or if an internal user uses the administrator s password to log in to a server from the user s desktop a suspicious login event is generated and the user will receive notification about this via email The email confirms which server the user logged on to and from which client user machine they logged in After receiving the email notification if the user or administrator is indeed the person who logged in he can ignore the email or submit another pairing request If the user or administrator denies that he was the person who logged in he should report this to the administrator Following is an example of a suspected identity theft email notification Subject Suspected use of your credentials Body User domainNameiuserName performed login from client machine clientMachine Details Description description Login Shared Account login User userName Client clientName IP Server sererName Date date Time time lfthis activity was notinitiated by you click here lf you wantto avoid receiving notifications when DomainName LoginName is logged in from clientName click here Note To enable the Identity Theft Detection feature the Enable Identity Theft Detection check box must be selected in the server s policy
151. ancel Save Name Default Windows based Policy System Policy Enable recording t Enable Identity Theft Detection Enable API Show tray icon 5 Restrict to RDP Enable hotkeys Enable key logging Optimize screen capture data size v Enable recording notification All activity on this machine is record Def Set image format Grayscale Server Compression v Set session timeout minutes 15 v Set keyboard frequency LN v Set continuous recording seconds OFF k Options include e Low Every 1 second default e Medium Every 0 5 second e High Every key stroke 3 Click Save to save the changes Setting changes will take effect on new user sessions after the current sessions are closed 88 Copyright 2015 ObservelT All rights reserved Configuring Server Policy Settings Setting Continuous Recording Note This feature is supported on Windows based server policies only In Continuous Recording mode ObservelT records the user s screen even when no user activity is detected This feature is useful when the user is watching a video with lengthy screen output or long output from a running application ObservelT records the screen every x seconds as configured in the server policy By default this feature is turned OFF When this feature is enabled and when no user activity occurs within the specified time interval number of seconds the screen which is in focus will be recorded but
152. and enter mmc 2 Inthe Console window select File gt Add Remove Snap in 106 Copyright 2015 ObservelT All rights reserved Implementing Security 3 Select the Certificates snap in click Add and assign it to the local computer account Computer Account gt Local Computer This sapin wil always manage certficates for Select the computer you wart this snapin to manage My user account This snapin wil always manage Local computer the computer this console is sunning on Service sccourt Computer accourt Another computer Alow the selected computer to be changed when launching from the command ine This only apples you save the console 4 Inthe MMC under Local Computers gt Personal right click the certificate and select All Tasks gt Manage Private Keys F Console1 Console Root Certificates Local Computer Personal Certificates am File Action View Favortes Window Help e9 alm 4X0 Bien C Console Root a Certificates Local Computer C Personal i Certificates E C Trusted Root Certification Authorities E D Enterprise Trust E L Intermediate Certification Authorities E C Trusted Publishers C Untrusted Certificates E Third Party Root Certification Authorities D Trusted People E D Remote Desktop ObservelT Certificate Q3W2K8 obsqa locali024 10 28 2024 lt All gt lt None gt Request Certificate with New Key Renew Certificate with New Key am
153. ata Loss Data Loss Recording Functionality Recording Recording Recording Recording Copyright 2015 ObservelT All rights reserved High System Events Data loss occurred while the Agent was running This may have occurred due to resource overload or some issue with the SQL server or the Application Server Check that the SQL server and Application Server are working properly The volume of data exceeded its configured limit while the Agent was in offline mode resulting in data loss You must increase the offline data limit in the configuration file Data was lost while the Agent was in offline mode due to insufficient disk space Increase the disk space to prevent this from recurring Agent sessions are now being recorded The Agent process was reactivated by Watchdog The recording of user actions was enabled in the Web Console Server Policies configuration The recording of user actions was disabled in the Web Console Server Policies configuration The Unix Agent internal Watchdog obitd service failed to start the ObservelT logger after a problem was detected and recording was disabled Another reason can be that someone did this on purpose using the oitcons utility for example as part of an upgrade process To enable interception use the oitcons utility The Unix Agent interception is on and recording is enabled 171 ObservelT Configuration Guide Code
154. ata even after becoming inactive unless you archive or delete that information from the active database Copyright 2015 ObservelT All rights reserved Managing ObservelT Storage e Number of users in DB The total number of users that are recorded in this database e Screen capture data stored in SQL Server or File System Configuring Screen Capture Data Storage By default the ObservelIT screenshots are stored in the SQL Server database However in many deployments the file system may be the preferred method for storing screen image data instead of the SQL Server database When using the file system the recorded visual images can be stored either on the local hard drive of the ObserveIT Application Server or on a file share in the network In the Screen Capture Data tab of the Configuration gt Storage page you can e View active screen capture data storage information when using the SQL Server database e View and configure active screen capture data storage when using the file system or a network share e Create new file system locations for screen capture data e View local network paths which were previously used by the system to store screen capture data Note that the contents of the Screen Capture Data tab differ depending on whether the system is using the SQL Server database or the file system for storing screen captures identified in the Database Server tab Viewing Screen Capture Data Storage when using th
155. ata stored in File system location Date range of included sessions Current screen capture storage Low disk space notification Configuration Storage Management SQL Server WIN2003R2X86 ObservelT_Archive_1 c program files microsoft sql serverimssql 1 mssqlidata ObservelT_Archive_1_ 07 29 2013 12 42 08 07 2013 08 32 0 10 GB 8 slides Not Configured File System Ci archive D18W3S5 2 07 29 2013 12 42 08 07 2013 08 32 0 00 GB 0 screens Not Configured New Screen Capture Archive Location Historical Data Storage Locations 1 10f1 DB and Related Screen Data Locations 1 First Session Date Last Session Date Sessions DBSize GB Freeze Date Copyright 2015 ObservelT All rights reserved Archiving Information Managing the Active Archive Database In the Active Archive Database section you can e View detailed information about the currently active archive database and the sessions that are stored in it e Define a threshold that will trigger a system event if the archive database reaches its maximum allocated storage e Create anew archive database if the current archive database size exceeds its maximum allocated storage The following information is provided about the currently active archive database e Archive data stored in SOL Server e Database Server Server that hosts the SOL Server database e Database Name Name of the archive database e Database Path Pa
156. ata with the relevant archive database Since you can define multiple archive file system locations for each active archive database you can also see a number of archive databases each with several file system locations Copyright 2015 ObservelT All rights reserved Archiving Information When the file system archive is not active the details of each historical archive database are displayed in a list as shown in the following example Schedule Storage Management Log Diary Search Archive Storage Management Active Archive Database Archive data stored in SQL Server Database Server OBS SQLDEWOIT_DEV_569 Database Name ObservelT_Archive_2 Database path C Program Files Microsoft SQL ServenNMSSQL 11 MSSQLIDATANODservelT_Arc Date range ofincluded sessions N A Size of archive database 7 18 GB 0 Slides Low DB space notification When reaches 2 ofthe allowed 123 00 GB Add New Archive Database Historical Data Storage Locations 1 10f1 1 DB and Related Screen Data Locations First Session Date Last Session Date Sessions DBSize GB Freeze Date ObservelT_Archive_1 10 27 2013 02 03 2014 128 38 01 25 2014 When the file system archive is active each archive database entry can be expanded by clicking the I icon to show the related file system locations as shown in the following example Schedule Storage Management Log Diary Search Archive Storage Management Active Archive Database Archive data stored in
157. ated for the screen capture data A system event will be generated when the disk size contains more than of the allowed GB If required you can click the Change button to open a dialog box that lets you configure specify a different threshold Note Before the current file system archive file reaches its maximum allocated storage it is recommended that you create a new file system location in which to store the archived screen capture data To create a new archive location for screen capture data 1 Inthe Active Screen Capture Archive section click the New Screen Capture Archive Location button Copyright 2015 ObservelT All rights reserved 247 ObservelT Configuration Guide 2 3 4 5 The New Screen Capture Archive Location dialog box opens New Screen Capture Archive Location Local or network path Po bs erverT_Archive_t Generate a system event when the disk contains more than out of the allowed GB Enter a new file system path local on server or network share to the new archive location and click Verify The system checks that the new path exists has not already been used and is not a subfolder of an already used path The system also checks that the user account used by the ObservelIT application pool on the Web Console has read and write permissions for the specified path If required you can configure a threshold setting for the new path that will generate a system event
158. base For performance and scalability reasons the recorded visual images must be stored on a file share in the network For further details see Storing the ObservelT Screenshots in the Installation Guide To optimize your file system storage do the following e Configure file system storage for the images data during or immediately after installation e Use a dedicate storage for images data that is avoid using the same storage array as the one that was used for the SQL Server databases e When using multiple Application Servers all Application Servers must be able to access the same path to store the graphical images UNC path e Create a new file system when the current one reaches approximately 4 billion objects due to NTFS file system limitations Archive Configuration In large scale deployments when archiving data note the following e Archive configuration is mandatory from day 1 You should configure archiving for data older than X days immediately after the product installation when the databases are relatively small e Create anew archive database when the volume of data in the active archive database reaches approximately 400 500 GB A notice can be set for this in the Web Console e Schedule archiving jobs for non busy hours on a daily basis e When using the file system for archiving stored images data you should create a new archive path when the current one reaches approx 4 billion objects due to NTFS file
159. based Policy e Default Metadata Only Policy e Default Unix based Policy e Default Recording Disabled Policy By default all the Windows based Servers or Agents are automatically configured by the Default Windows based Policy and all Unix Linux based Servers or Agents are automatically configured by the Default Unix based Policy Any changes to these Server Policies will affect all respective linked machines The Metadata Only and Recording Disabled Policies were created to ease the deployment of the API controlled Agents and to provide an easy method of recording Metadata only sessions By default no Agents are linked to these Policies The Configuration gt Server Policies tab allows you to view all the Server Policy Templates change settings in policies copy and delete them as well as configure and link ObservelT Servers and Server Groups to these policies Server Diary User Diary DBA Activity Activity Alerts ED EL Search Reports Threat Detection Server Policies Admin Dashboard Console Users Server Policy Templates identification Windows based computer policies Servers 1 40 Server Groups e Name Install Parameter View Server Policies Default Windows based Policy 80809000 0990 8800 2000 saaeaaeeaees Servers 1 Security Alerts Default Metadata Only Policy BOGS9008 0900 9803 9000 see098e0001 Servers 0 4 Default Unix based Policy BOSS9ESS 0990 9803 8050 s0ee5R800082 Servers 0 System E
160. be displayed Note that the color of the ring around the alert icon shows the alert severity high red medium orange or low yellow For instructions on how to use the ObservelIT Session Player see Windows Session Player or Unix Session Player in the User Guide To open a session s video for viewing alerts 1 2 3 4 5 132 In the Activity Alerts List view Details view or Gallery view click the Video ta icon next to the alert The Session Player opens Details for each alert are displayed as the replay progresses Following is an example of a video replay of an ObservelT session on which a number of medium severity alerts were generated r ObservelT Session Player Internet Explorer oe S k http Recyda Bin User Activities List Ej Gereral accourt Settings Cc tps lA facebook com sattire Program Manager 12 14 15 PM Do you want Googe Chrome to save your password Save password Newer for the ste ObservelTServer 5 7 12 14 17 PM 0 TY ae 0 General General Account Settings Securty Programs and Featu 12 14 20 PM Start menu 12 14 26 PM Computer Managem 12 14 42 PM B Privacy Start menu 12 15 06 PM C Timeline and Taggng Username Blocting Share and Storage 12 15 26 PM Noications Start menu 12 15 34 PM E Mobila Ps oe gt Control Panel 12 15 43 PM Manage Accounts 12 15 47 P
161. bservelT Session Player 8 15 09 AM l ObservelT Save Session Windows Internet Explorer C Ds 8 15 38 AM _ 8 15 38 AM You are about to create an offline copy of this recording 0 1532 AM The process of creating this file will take several minutes 8 16 33 AM A link to this offline copy will be found in the Configuration gt Saved 8 16 47 AM Sessions section 8 17 06 AM Which slides would you like to save Allslides 8 17 09 AM 8 17 12 AM Selection 8 17 14 AM Type slide numbers and or slide ranges separated by commas For example type 1 3 5 12 8 18 07 AM 8 31 32 AM i s Vee Ow how Eee Tirin nTn L a r Y i kai S Eia Name Session Name ObservelT Session Player Google Chrome 1 7 AM 7 85 Password Optional This will be required for opening the exported zip file leftbuttondown observe it ASMOAN 4 Inthe Name field type a name for the session that you want to save 254 Copyright 2015 ObservelT All rights reserved 5 6 7 Saving Sessions Optional In the Password field type a password to provide more security for the saved session Click Save Session The session is saved in the Configuration gt Saved Sessions tab Navigate to Configuration gt Saved Sessions The Saved Sessions page displays a list of all previously saved sessions The recently saved recording is displayed in the Saved Sessions list initially with a Pending
162. cannot be archived or deleted from the system To flag alerts for follow up 1 Inthe Activity Alerts page click the Flag icon next to the alert to flag un flag it Search Threat Detection DBA Activity Activity Alerts Configuration Reports User Diary Server Diary Activity Alerts Activity Alerts Period Last 1 Months Between 06 18 2014 E and 06 26 2014 fF Severity All v Alert rule All v E More Filters Server All v Login All v Server group All v User secondary All v Client All Flagged WY All v Alert ID Reset Show 1 30f3 Time Alert rule Login User Server Video 6 19 2014 09 19 AM Opening hosts file micky n a OBSERVEIT PM va 09 11 AM A micky n a OBSERVEIT PM a agged by michelle on 6 25 2014 1 14 PM 09 10 AM Opening hosts file micky n a OBSERVEIT PM a 2 You can filter the list of alerts based on the flagged not flagged status Note the following e When flagging an alert the system stores the Console user name and the time that the alert was flagged this information is also shown in a tooltip e Only the user who flagged an alert or the administrator can un flag it The system stores the user name and time of the un flagging this information also shown in a tooltip e The same user can flag un flag an alert as many times as required without any message interruption 126 Copyright 2015 ObservelT All rights reserved Ac
163. cation on your computer Copyright 2015 ObservelT All rights reserved File Download g x Do you want to open or saye this file E Name ce99052e 3a32 4a4c b87d 88ae6ed22Fc9_Full zip i Type Compressed zipped Folder 692KB From 127 0 0 1 o Oen o Swe T ooa V Always ask before opening this type of file Note If you provided a password for the session when it was saved you will be required to enter While files from the Internet can be useful some files can potentially harm your computer If you do not trust the source do not open or save this file What s the risk that password to open the exported session s zip file 255 ObservelT Configuration Guide x File UbservelT Standalone Player 1 Ok password protected Please enter the password in the bos below IE Password Cancel The ZIP archive contains an application called ObservelT Standalone Players ExportablePlayer exe and a directory of slides in screenshot file format The number of slides corresponds to the number of slides in the ObservelT Web Console 9 Extract the contents of the ZIP archive to a directory and run the ObservelT Standalone Players ExportablePlayer exe application to view the session s slides in the same way as when using the ObservelIT Session Player To delete the saved session if required click the Delete link next to the saved recording Auditing Access to the Web Console ObservelT
164. ccurrence on 1 8 2015 lows Servers ah 24 Windows WorkStations 13 i oe The shades of orange and blue on these icons vary per how recently the tampering or data loss has occurred The darkest shades 44 indicate today the medium shades 4A indicate within the past 2 3 days and the lightest shades indicate earlier in the week Click the Agent s colored Status bar to display details in a popup window including the name of the Agent group the number and color coded statuses of the Agent group members For example aS cog Vy Copyright 2015 ObservelT All rights reserved 15 ObservelT Configuration Guide For explanations of the icons and colored severity levels of system events and operational statuses see Colored Severity Levels and Icons Other tasks you can perform from the Agents portal include e Drilling Down to Agent Details e Assessing Agent Statuses and Details e Investigating System Events e Adding Agent Groups Drilling Down to Agent Details From the Agents portal you can drill down to the Servers list to examine further details about the Agent operational statuses in order to identify the causes and respond accordingly To drill down to Agent group members by group name e Inthe Agents portal click an Agent group name The Servers list opens displaying the Agent group s member and related details You can expand the Agent group member to view more details including status details when not OK OS t
165. ch the ObservelT Agents are installed and which are being monitored and recorded The Configuration gt Servers tab displays a list of all the servers and related details Server Diary User Diary DBA Activity Activity Alerts Search Reports Threat Detection Servers Admin Dashboard Console Users Servers Identification Servers Group All Servers v Server Name Status All Server Groups f More Filters Server Policies Reset Security Alerts System Events Identity Theft Detection 1 30f3 Server Name Server Policy Version Status Installation Last Activity w2ks 2 Default Windows based 5 8 0 0 OK 12 18 2014 12 18 2014 w2K8 S8 QA10 Default Windows based 5 8 0 0 OK 12 18 2014 12 18 2014 c59 32 7 Default Unix based Policy Uninstalled 12 18 2014 12 18 2014 Messages Ticket Integration License In the Servers page administrators can e View servers and related details including server name linked Server Policy version number of the Agent software installed on the server status of the server installation date of the Agent software and date of the last activity reported by the Agent installed on the server You can change the Server Policy that is linked to a server and make manual changes to each server If the names of physical Windows servers were changed you can also change the ObservelT server names to match the new machine names e Filter servers to easily find the server you are look
166. cies ObservelT records all types of user sessions either local or remote through Remote Desktop or third party remote management tools such as VNC PCAnywhere NetOP and others By default all sessions remote and local are recorded but you can configure the Agent to record only when the user session is a remote RDP session In this case local log on sessions will not be recorded You can configure the recording to RDP only manually per server Agent from the Configuration gt Servers page or by using Server Group Policies to configure many servers Agents simultaneously To restrict recording to RDP sessions only using Server Policies 1 Inthe Configuration gt Server Policies page click Create or select a server policy template default Windows based policy 78 Copyright 2015 ObservelT All rights reserved Configuring Server Policy Settings 2 Inthe System Policy section of the Server Policy Template page select the Restrict to RDP check box By default this check box is disabled to allow the recording of all types of user sessions Server Policy Template Back to Server Policy Templates Linked Servers Name New Server Policy Template Cancel Save m System Policy Enable recording v Enable Identity Theft Detection Enable API Show tray icon Restrict to RDP SA es Enable hotkeys Enable key logging Optimize screen capture data size d Enable recording notification
167. commended that you follow Microsoft s best practices on group object usage For further details refer to Active Directory Best Practices The following procedures describe how to e Create anew ticketing policy e Edit the parameters of existing ticketing policies e Disable ticketing policies e Delete ticketing systems To create a new ticketing policy 1 Navigate to Configuration gt Ticketing Integration The Ticketing Policies tab opens displaying all the currently active and disabled ticket policies in the system From this tab you can create new ticketing policies update the parameters of existing ticketing policies disable and delete ticketing policies Server Diary User Diary DBA Activity Activity Alerts Configuration Search Reports Threat Detection Ticketing Policies Ticketing Systems Admin Dashboard Console Users Create a new policy Identification Servers Server Groups Manage Policies Server Policies Title System Name Modified Date Posted By Security Alerts Active Tickets System Events ServiceNow Ticket Detail New System 11 22 2012 1 30 49 PM Admin Disable Delete identity Theft Detection Ticket Validation Custom Web Service 41 22 2012 1 28 10 PM Admin Disable Delete Messages Disabled Tickets Ticket Integration Check Ticket Details P Si J i 2 rd 2 i JL t PM L Enable Delete 2 Click Create Copyright 2015 ObservelT All rights reserved 205 ObservelT Configuration Guide The New Ticket page
168. ctory domain is selected If you are using Automatic type LDAP Target and the user name is not verified you will get an error message This check is NOT performed if you are using Manual type LDAP Targets or when you specify a domain manually When a user that is configured as an ObservelIT Console User tries to log on to the ObserveIT Web Console and that user s Authentication target is selected as the Active Directory domain the ObserveIT Web Console will connect to the destination domain and try to authenticate the user given the user s credentials Console Users can be granted Admin View Only Admin or Config Admin roles and given permissions on specific servers groups of servers or individual users based upon the organization s requirements This allows the administrator to grant granular replaying access control permissions for specific security managers or auditors for example to be allowed to view servers only in the SQL Servers server group or to be allowed to view sessions only for a limited scope of users Console Users can also be configured to receive email notifications The entire configuration process is done through the Configuration gt Console Users page See the following topics e Creating and Managing Local Console Users e Creating Active Directory Console Groups e Assigning Console User Permissions to View Recordings Copyright 2015 ObservelT All rights reserved 31 ObservelT Configuration Guide
169. cy settings see Identification Policy Copyright 2015 ObservelT All rights reserved 39 ObservelT Configuration Guide Configuring Forced Identification Users Forced Identification users are required to identify themselves by a secondary log on prompt when logging on to any ObservelIT monitored server The secondary logon authentication process forces generic users such as Administrators or root to be authenticated against an Active Directory identification target or against Local ObservelT Users This topic describes how to add new Forced Identification users It also describes how to delete Forced Identification users Note Adding Forced Identification users does NOT create any actual users and has no effect on user accounts It just configures ObservelIT to request a secondary logon when any of these users log on to a monitored server To configure Forced Identification Users 1 Navigate to Configuration gt Identification identification identification 2 Forced identification Users These users will be forced to authenticate themselves whenever they log on to a monitored server Create 1 30f3 1 Domain Name Login Manage Delete admin4ya Manage Delete administrator Manage Delete dba Manage Delete Users For Secondary Identification Active Directory identification Targets These are the Active Directory Targets against which the users will authenticate Create Domain Name Type O
170. d here Backing Up the ObservelT Databases It is important to properly back up the data stored inside the SQL databases in case the SQL server suffers a catastrophic event All data stored in SQL databases can utilize existing backup solutions that are built in to Microsoft SQL Server or 3rd party database backup solutions Note If you have used the archiving feature of ObservelT you may have additional SQL server databases that are used by ObservelT in addition to the default production databases If this data is important to your organization make sure you also include the archive databases in your backup plan By utilizing your existing backup solutions you can easily backup your SQL server and thus protect your ObservelT data and configuration For information on how to back up the SQL Server refer to your backup software manual You can also refer to the following Microsoft Knowledge Base articles e Back Up and Restore of SQL Server Databases e Backup Overview SQL Server Copyright 2015 ObservelT All rights reserved 253 ObservelT Configuration Guide Saving Sessions This topic describes how to save recorded ObservelT sessions to view them offline Note Saving sessions for training purposes is not supported in this version of the product If it is essential that your system is configured to save sessions for training purposes contact ObservelT support at http www observeit com Support Saving sessions for of
171. d the available group and field options To define the Did What conditions VV f d 3 J 1 Open the Did What section by clicking 4 oe or the Edit icon 144 Copyright 2015 ObservelT All rights reserved 2 Activity Alerts The following figure provides an example of some configured Did What conditions Reports Threat Detection DBA Activity Activity Alerts Configuration Search User Diary Server Diary Alert Notification Policies Activity Alert Rules Edit Alert Rule Alert Rule Details Name Opening hosts file Status Description Alert if user views hosts file in Active Inactive typical editors Notification policy Immediate email x v prise High v i Who Any user 6 Did What Alert only once Per session v Unix v Executed Co Command name WV lis v rm and Executed Co Argument v li v var run observeit and Executed Co Switch w lis v Important Before you begin make sure that you have read the Rules for Configuring Alert Conditions described in Understanding the Logic for Triggering Alerts Define the alert frequency Note The alert frequency applies to all the Did What options except for the Logged In option since it is not relevant You must take the alert frequency into account when defining conditions An alert can be triggered by a specific event for example a Window title contain
172. daily transactions thus enabling an even larger volume of data to be archived Before you begin to configure archiving you should be aware of the following considerations e An archive job always uses the most recently created archive database As soon as the new archive database is created by the SQL Server administrator ObservelT will begin using it The previously used archived database and its session contents will still be accessible for restore and replay e If you are using the file system to store your recorded sessions visual images see Storing the ObservelT Screenshots in the Installation Guide when archiving is configured a file system will be used to store the images When images are stored in the database the database will be used for the archived images When restoring archived sessions the images that belong to the sessions will be restored to their original file folder e After specific sessions are archived they will no longer occupy space in the production database file system These archived sessions will also no longer appear in the Server or User Diary or in the Search or Report results The only way to replay the archived sessions will be to use the Diary tab of the Configuration gt Archive page e During archiving the ObservelT database file system storage is locked Although efforts have been made to minimize the lock time it is recommended that you schedule the archive to be performed when activity on the s
173. data to the ObservelT Application Server When offline mode is disabled in the event of a network malfunction or disconnection between the Agents and the Application server no recording nor local data will be stored on the monitored machines When offline mode is enabled and a network malfunction or disconnection occurs between the Agents and the Application server the Agents will cache a local copy of the recorded data When the network is back online the Agents will transmit the local cached content back to the Application server and the local copy will be removed ObservelT lets you configure the amount of local cache content to use Important Although the locally cached files cannot be used other than by viewing them through the ObservelT system the locally stored files might still be deleted or moved by a local malicious administrator In this case make sure you use proper NTFS file level permissions and apply auditing on the Queue folder and monitor any access and change to that folder On Unix based server policies you can configure an offline storage location for recorded ObservelIT sessions By default recorded data on Unix Linux Agents is stored under the directory opt observeit agent run If connectivity with the ObserveIT Application Server is lost when offline recording is enabled user activity data will be temporarily stored in the file system of the client machine until connectivity is restored and the data can be transferred
174. day is not between 08 00 and 18 00 C4 From Which Client Any client 5l SAMPLE Unix User trying to remove a sensitive directory Inactive 1 4 2015 Admin 134 Copyright 2015 ObservelT All rights reserved Activity Alerts Alert Rule Tasks The tasks you can perform from the Activity Alert Rules page include Viewing Alert Rules View a list of alert rules that were generated during a specified time period and according to the criteria that you specify Filtering Alert Rules Filter the alert rules displayed in the Alert Rules list per specified criteria Creating Alert Rules Define the alert rule criteria for creating new alert rules Defining the Who Conditions Define the alert rule condition that shows who was the logged in user on which an alert was triggered Defining the Did What Conditions Define the alert rule condition that shows exactly what the user was doing when the alert was triggered Defining the On Which Computer Conditions Define the alert rule condition that shows on which computer the user was logged in when the alert was triggered Defining the When Conditions Define the alert rule condition that shows at what time date the alert was triggered Defining the From Which Client Conditions Define the alert rule condition that shows which client computer was being used when the alert was triggered Defining Alert Notification Policies Define Alert Notification policies to determin
175. dentification Show in Dashboard Add Group Ld Server Group Name Servers Server Groups All Servers 1 Server Policies Security Alerts Active Servers 1 Windows Servers 1 Unix Servers 0 System Events Identity Theft Detection Windows WorkStations 0 Windows Gateway 0 Windows Activex 0 Messages Ticket Integration Finance Servers 1 Add Servers License Note Server groups without attached servers will not be displayed on the dashboard SMTP Settings Monitor Log Click Save to save the settings The selected server group appears in the Admin Dashboard Threat Detection Server Diary DBA Activity Activity Alerts S EEL Search User Diary Admin Dashboard ena Deere Updated 1 6 2015 3 15 PM Auto refresh a OFF SYSTEM SERVICES sg i Recent statistics based on Past 7 days Console Users DEPLOYED AGENT VERSIONS ae EE Latest version p AGENTS Identification Servers amp Notification Health Alert Rule Service Monitoring Engine Server Groups 1 Recently installed Server Policies Security Alerts System Events Identity Theft Detection 0 Recently uninstalled APP SERVERS Group Agents Status Messages W12 S12 D02 Ticket Integration Active Servers 1 License SMTP Settings Windows Servers 1 Threat Detection Delete To add a new server group to the Se
176. dentification Users Policy Templates window and repeat the above steps When you have finished defining all your required Forced Identification Users click Close The Forced Identification Users list displays the users that you configured to authenticate themselves when they log on to a monitored server Identification Identification Forced identification Users added successfully Forced identification Users These users will be forced to authenticate themselves whenever they log on to a monitored server Create Results 1 0 of 0 1 Domain Name Login Manage Delete All Users Manage Delete The next step is to configure an LDAP or Active Directory Identification Target or Local ObservelT Identification users A warning message is displayed if you do not configure at least one Active Directory Identification Target or at least one Local ObservelT Identification user For further details see Configuring Active Directory Identification Targets and Configuring Local ObservelT Identification Users Copyright 2015 ObservelT All rights reserved 43 ObservelT Configuration Guide Note After creating the Forced Identification user and adding it to at least one Server Configuration Policy or Server in that policy or server you will be able to see the Forced Identification user in the Identification Policy section of the Server Policy Template Deleting Forced Identification Users Deleting a Forced Ident
177. describes what is seen on the screen you can perform very powerful searches across your entire enterprise Although no visual trace will be available when selecting this option it will still provide far more auditing capabilities than when compared to a server with no ObservelT Agent installed There are two ways to record metadata information e Metadata only without any graphical screenshots being recorded e Record metadata for specific applications Record Metadata Only To record metadata only without any graphical screenshots you must use the Default Metadata Only Policy a preconfigured policy that records only metadata By default this policy is not linked to any Server If you link that policy to one or more servers these servers will only record metadata information Record Metadata for Specific Applications You can create a new Server Policy that has specific applications excluded in the recording policy or edit an existing policy to match your needs You can also manually edit a specific server s configuration Note By default ObservelIT s Default Configuration Template is configured to record all applications AND the associated metadata Therefore in a default configuration scenario there is no need to make any changes in order to record the metadata information For example you might decide that in a particular scenario you only want to record these administrative related applications e CMD exe e Notepad exe
178. ding seconds 2 OFF v 3 Click Save to save the changes Setting changes will take effect on new user sessions after the current sessions are closed Enabling Recording Notification Note This feature is supported on both Windows and Unix based server policies ObservelT enables you to notify users that their actions are being recorded during recording sessions on the server This is most useful on management workstations in which there are privacy issues When actions are being recorded and the notification message feature is enabled a yellow recording notification bar appears on the desktop on each recording session clearly notifying the user that their actions are being recorded and monitored The default message displays All activity on this machine is recorded and monitored oS All activity on this machine is recorded and monitored My Documents i x ig My Computer k wi My Network Places You can configure the display of the recording notification message manually per server Agent from the Configuration gt Servers page or by using Server Group Policies to configure many servers Agents simultaneously To configure the recording notification message using Server Policies 1 In the Configuration gt Server Policies page click Create or select a server policy template Windows based or Unix based policy 82 Copyright 2015 ObservelT All rights reserved Configuring Server Policy Settings 2 I
179. dom Q20W2K8 cs3VieWURL cS4SQL DB Q2 baseconfiguration dproc ObserveIT duid Administrator duser n a dvchost OIT RACHELI dvcpid 10 1 100 96 msg Microsoft SQL Server Management Studio rt Aug 11 14 13 25 shost OIT RACHELI sproc ssms src 10 1 100 96 sntdom n a suser n a suid n a destinationServiceName SSMS SQL Server Management Studio deviceProcessName ssms end Aug 11 14 13 25 start Aug 11 14 13 25 Aug 11 14 13 31 host CEF 0lobser vert observer 5 7 0 0 100 observertuser activityl1 cat useractivity cs20S windows dhost Q20w2K8 dntdom Q20W2K8 cs3ViewURL http Q20W2K8 ObservelIT Slideviewer aspx Sessi1onID 7 90F 5439 99E 3 4CE4 BA5D 44766A5CE807 amp DisplayonAir false amp l ang en amp SSID DCAFB5A0 58D3 4CEC 8E2B 949C72AB47EF cs4Command dproc ObservelIT duid Administrator duser n a dvchost OIT RACHELI dvcpid msg ObserveITNotificationservice_Trace Notepad rt Aug 11 14 13 31 shost OIT RACHELI sproc src sntdom suser n a suid n a destinationServiceName Notepad deviceProcessName end Aug 11 14 13 31 start Aug 11 14 13 31 vr Copyright 2015 ObservelT All rights reserved 215 ObservelT Configuration Guide In the CEF header each data type is identified by a unique ID e User activity 100 e DBA activity 200 e System events 300 e Alerts activity 400 Alerts are identified by their severity level e High 10 e Medium 8 e Low 6 Configuring SIEM Log Integration The following procedure describes how to configure S
180. e alerts and receive alert notification emails Viewing Alert Indications in the Web Console describes how to view sessions that have alerts view alerts in recorded session videos in the Session Player and search for sessions according to an alert ID Managing Alert Rules describes how to view alert rules in different modes create edit duplicate and delete alert rules and how to define alert notification policies Integrating Alerts in SIEM Products describes how to integrate alerts into your organization s existing SIEM system Copyright 2015 ObservelT All rights reserved 115 ObservelT Configuration Guide Managing Activity Alerts The Activity Alerts page provides information about alerts enabling administrators to view and manage activity alerts in the Web Console Important Alerts are triggered by alert rules which define the conditions that could signify suspicious activity on ObservelT monitored servers ObserveIT administrators can create and manage alert rules from the Activity Alert Rules page by selecting Configuration gt Alerts gt Activity Alert Rules in the ObservelT Web Console For further details see Managing Alert Rules To open the Activity Alerts page click the Activity Alerts tab in the ObserveIT Web Console The Activity Alerts page opens in List view which is the default mode displaying a list of alerts according to the specified severity and filter criteria Server Diary Threat Detection U
181. e and you need to stop a specific Agent from working In addition you may need to free one or more licenses to be able to install the Agent s on additional machines In these cases you can unregister the server from the Servers list Unregistering a server will NOT actually uninstall the Agent software on that machine You will still need to remove the Agent software Unless you manually uninstall the Agent software each time a user logs on to the once monitored machine the following error message will be displayed The ObservelIT Agent was unregistered by the administrator Please manually uninstall the Agent software from this computer by using the Add Remove Programs applet in the Control Panel The unregistered server s data is still retained inside the database and you can perform searches and watch recorded sessions from these servers To unregister a server 1 Inthe Configuration gt Servers page click next to the server that you want to unregister and click the Unregister link located on the right of the expanded details Server Diary User Diary Servers Admin Dashboard Console Users Servers Identification Servers Group All Servers Server Groups More Filters Server Policies Security Alerts System Events Identity Theft Detection 1 20f2 Server Name W2K8 S8 0A11 amp c59 32 3 AG Messages Ticket Integration License SMTP Settings OS Type Unix OS Version CentOS 5
182. e SQL Server Database When the SQL Server database is used for storing screen image data you can view the information about the currently active screen capture data storage To view screen capture data stored in the SQL Server database 1 Navigate to Configuration gt Storage 2 Click the Screen Capture Data tab Server Diary User Diary DBA Activity Activity Alerts Search Reports Threat Detection Database Server Screen Capture Data Admin Dashboard Console Users Screen Capture Data Storage identification Active Screen Capture Data Storage Servers Screen capture data stored in SQL Server Server Groups Database Server WIN 459707VGBK2 Server Policies Security Alerts Database name ObservelT_Data Database path c program files microsoft sql serverimssq 10_50 mssqlserverimssq data Observ Date range of included sessions 1 6 2015 4 36 PM 1 11 2015 12 29 PM System Events Identity Theft Detection Current screen capture storage 1 00 GB 278 Slides Messages Ticket Integration License SMTP Settings Monitor Log LDAP Settings Storage The following information is displayed e Screen capture data stored in SQL Server e Database server Name of the server hosting the SQL Server e Database name Name of the database storing the screen capture images Copyright 2015 ObservelT All rights reserved 229 ObservelT Configuration Guide e Database path Path to the location of the database e Date rang
183. e Server Screen Capture Data Screen Capture Data Storage Active Screen Capture Data Storage Screen capture data stored in File System File system location CAFS Q13W8S8 1 Date range of included sessions 07 29 2013 12 42 12 22 2013 11 49 Current screen capture storage 0 05 GB 27 slides Low disk space notification Not Configured Change New Screen Capture Storage Location Additional Screen Capture Data Storage Show unavailable paths and paths containing no Screen Capture Data Path Location Status Size GB Slides Date Added Added by Last Session Date The following information is displayed about the currently active screen capture data storage e Screen capture data stored in File System e File system location File system path local on server or network share e Date range of included sessions First date and time to last date and time e Current screen capture storage Size of storage for current screen capture session GB and number of slides e Low disk space notification Not Configured threshold showing the maximum actual disk space allocated for the screen capture data 230 Copyright 2015 ObservelT All rights reserved Managing ObservelT Storage To configure a threshold for a system event if the file system reaches its maximum allocated storage 1 2 3 4 In the Screen Capture Data tab click the Change button next to Low disk space notification to open a d
184. e Sticky Notes feature is accessed by using the F11 Hotkey Note Sticky Notes do not prevent the user from continuing with their action and actually performing the task to which the Sticky Note was attached However to prevent users from performing harmful actions you must use the built in Windows permissions and user rights mechanism Note ObservelT also allows you to create more advanced messages that will be displayed for users logging on to monitored servers For further details see Managing Messages Configuring ObservelT Sticky Notes Sticky Notes can be created for virtually any application or application property sheet To create a Sticky Note This example will warn users about changing the time on the server 1 Open the Date and Time applet 2 Press F11 The Sticky Note creator window opens 3 Type the text that you want to display in the Sticky Note 4 Click OK Note You can use any language supported by your version of Windows Date and Time Propert 2 x Date amp Time Time Zone Internet Time Date Time i 2009 H 1 B3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 oe 11 27 43 Current time zone Jerusalem Daylight Tim MA URS at x Preview Screenshot Add Description Do NOT change the time without consulting with Daniel at OK Copyright 2015 ObservelT All rights reserved 263 ObservelT
185. e directory Description Status Updatedon Updated by Inactive 12 29 2014 Admin Inactive 12 29 2014 Admin Inactive 12 29 2014 Admin Removing sensitive data can cause data lose and may jeopardize system stability 2 Who Any user Did What Executed Command Command name is rm AND Executed Command Argument contains etc bin usr AND Executed Command Switch is r f On Which Computer Any computer When Any time G From Which Client Any client Unix 2 You can filter the alert rules displayed in the Alert rules list see Filtering Alert Rules 3 You can switch between List and Details modes as described in the following procedures To view alert rules in List mode 1 Inthe Show area of the Activity Alert Rules page click the List icon The List mode displays one line of information is shown about each alert rule This is the default mode Alert rules are presented by date in reverse chronological order so that the most recently defined rules appear at the top of the list 136 Copyright 2015 ObservelT All rights reserved Activity Alerts For each alert rule in the list the following information is displayed according to the filtered details including the specified status All Active or Inactive and alert severity All High Medium Low Severity bar A colored bar representing the severity of the alert rule e Red High severity e Orange Medium severity e Yellow Low severity
186. e for the e Operating system on the SQL Server e SQL databases disks e SQL databases e File System for storing graphical images e Archive configuration e Database maintenance SQL Server Operating System Optimization To optimize the SQL Server s memory usage follow the steps described in the Microsoft KB article Enable the Lock Pages in Memory Option Windows SQL Databases Disk Storage Optimization The SQL Server database which is used to store captured data and configuration settings continuously grows as more sessions are recorded To prevent data loss as the database becomes full it is recommended that you optimize your database storage configuration as follows e Use dedicated disk arrays for data files MDF files transaction logs LDF files and the tempdb database e Use Microsoft best practices when formatting and configuring disk alignment For further details refer to the Microsoft article Disk Partition Alignment Best Practices for SQL Server Databases Configuration During installation the ObserveIT Database Server creates the following databases on the SQL Server for storing captured data and configuration settings e ObservelT e ObservelT Data e ObservelIT_Archive_ 1 e ObservelT_Archive_template The SQL Server must be configured for optimal performance so that the databases used by the server will not become a bottleneck which will affect the overall performance of the system For details o
187. e logged on to monitored servers can receive notification via email about the specific servers to which they have logged on and from which client machines they logged in To enable users to receive these email notifications from ObservelT the Identity Theft Detection feature must be enabled You can enable this feature manually per server Agent from the Configuration gt Servers page or by using Server Group Policies to configure many servers Agents simultaneously To enable identity theft detection using Server Policies 1 In the Configuration gt Server Policies page click Create or select a server policy template default Windows based or Unix based policy Copyright 2015 ObservelT All rights reserved 75 ObservelT Configuration Guide 2 Inthe System Policy section of the Server Policy Template page select the Enable Identity Theft Detection check box By default this check box is disabled Server Policy Template Back to Server Policy Templates Linked Servers Cancel Save Name Default Windows based Policy System Policy Enable recording 7 Enable Identity Theft Detection Enable API Ly Show tray icon i Restrict to RDP Enable hotkeys Enable key logging Optimize screen capture data size 7 Enable recording notification All activity on this machine is recordi Default Set image format Grayscale Server Compression v Set session timeout minutes 15 v Set keyboard frequency
188. e message When the user has finished providing input the user can click Next to proceed to the next message For the final message the user must click the Finish to close the messages window Copyright 2015 ObservelT All rights reserved 201 ObservelT Configuration Guide Ticketing System Integration When ObservelT s session recording system is integrated with an IT ticketing system selected IT administrators or remote vendors can be requested to enter a valid ticket number in order to complete the login process to a corporate server A ticket is an element in an issue tracking system that references specific information about the issue Each ticket has a unique reference number also known as a case issue or call log number which allows the user to quickly locate add information or update the status of the issue or request The benefits of integrating an IT ticketing system with ObservelIT s session recording system include Enforced segregation of duties Improved security by limiting server access to administrators and remote vendors who are in possession of a specific ticket number for which access to the server is required Improved tracking of sessions You can search for all sessions that are related to a specific ticket instead of using search key words or looking through lists of sessions Faster and easier user activity auditing By linking tickets directly to the video recording of the server session that address
189. e name or click the Edit link next to it Copyright 2015 ObservelT All rights reserved 163 ObservelT Configuration Guide The Edit Alert Rule page opens showing the details and conditions currently defined for the selected alert rule for example as shown in the following example Server Diary User Diary DBA Activity Activity Alerts Configuration Search Reports Threat Detection Activity Alert Rules Alert Notification Policies Admin Dashboard Console Users Edit Alert Rule Identification Servers Alert Rule Details Server Groups Name After hours access to sensitive servers Server Policies Status Security Description Someone logging in during the weekends holidays AAEN before 08 00 a m or after 6 00 p m Active Inactive Severity Medium v System Events Notification policy Email on every alert x v Identity Theft Detection Messages Ticket Integration A Who License SMTP Settings Login secondary contains v micky Monitor Log LDAP Settings Storage Archive E Saved Sessions amp Did What on Windows and Unix v Audit System Log Logged in Latest Sessions W2K8 S8 QA1 Admini On Which Computer Currently Any computer W2K8 S8 QA1 Admini W2K3 S8 QA0 Admini When Quick Help Time of day v is not between v 08
190. e name OIT CEF 1log or specify a new one 6 Inthe Log file cleanup section schedule the frequency for clearing the log file e Select Run daily at and specify the required time of day for the daily cleanup Or Select Run every and specify the required number of days hours or minutes for the cleanup 7 Click Save to save the settings After a few minutes the log file will be generated A new log file will be created according to the scheduled cleanup frequency Copyright 2015 ObservelT All rights reserved 217 ObservelT Configuration Guide LDAP Settings Configuration When deployed in a workgroup installation scenario ObserveIT Console Users are created locally in the ObserveIT Web Console This means that you need to manually create a Console User for each user that requires access to the ObserveIT Web Console In addition when using ObservelT s Identification Services users logging on to the monitored servers or workstations with generic type user accounts such as the built in Administrator will be forced to provide secondary credentials that will be used to identify them In this scenario the ObservelT auditor will know who really used the Administrator account Similar to Console Users when deployed in a workgroup installation scenario local ObservelT users must be created in the Web Console and these credentials must be provided to the users logging on to the monitored computers in order for them to successfully identify
191. e of included sessions First date and time to last date and time e Current screen capture storage Size of storage for current screen capture session GB and number of slides Configuring Screen Capture Data Storage when using the File System Network Share As data quickly accumulates both in file numbers and overall data size it is essential that you have enough storage space on the disks that store the folder in which you want to store all the recorded visual images When only a single file system path location is defined once the disk is full the system stops recording and you need to remove data from the disk in order to continue recording From the Screen Capture Data tab you can configure multiple file systems which enables you to extend and manage your file system storage without disrupting recording Note If required you can release some disk space by running the archive process see Archiving Information To configure screen capture data storage using the File System Network Share 1 Inthe Active Screen Capture Data Storage section of the Screen Capture Data tab in addition to viewing specific information about the active screen capture data storage you can 1 Define a threshold that will trigger a system event if the file system reaches its maximum allocated storage 2 Create new file system locations for screen capture data View previous file system locations in order to replay recorded sessions Databas
192. e relevant server group name Server Groups Add Group Add Server Group Name Show in Dashboard All Servers 1 Active Servers 1 4 amp ind ervers 1 7 4 Inix Servers 0 7 Windows WorkStations 0 Windows Gateway 0 4 Finance Servers 0 Add Servers Delete Note Server groups without attached servers will not be displayed on the dashboard A message is displayed prompting you to confirm the deletion 3 Click OK to proceed The server group is deleted The related servers are no longer associated with the group Note The servers that were members of the deleted group will not be deleted However deleting a server group may affect the permissions that are assigned to one or more Console Users In such a case a Console User might not be able to access these servers anymore 66 Copyright 2015 ObservelT All rights reserved Server Policies Server Policies In ObservelT terminology Servers or Agents are the computers on which the ObservelT Agents are installed and which are monitored and recorded Servers or Agents are configured by using Server Policies Server Policies are sets of configuration options that control aspects of how the monitored server is configured By using Server Policies the administrator can easily configure one set of recording settings and apply these settings to one or many monitored servers at the same time The default Server Policy Templates include e Default Windows
193. e requests from specific domains logins and or clients To search for specific approved pairs specify your search criteria in the fields provided above the list and click Search Approving and Rejecting Pending Requests If a user logs in to a server from a client that is not paired to the user that is it does not appear in the Approved User Client Pairs list a pairing request is created The pairing request will appear in the Pending Requests list The ObservelIT administrator can approve or reject the pending request If there is no indication of suspicious login activity the administrator will approve the request and it will appear in the Approved User Client Pairs list If the login event is suspicious that is identity theft is suspected the administrator receives an email reporting the suspicious login event and will reject the pairing request To approve a pending request e Inthe Pending Requests list select the pairing request and click Approve After receiving a confirmation email that the request was approved the user will no longer receive emails about activity for this specific user client pairing To reject a pending request e Inthe Pending Requests list select the pairing request and click Reject After receiving a confirmation email that the request was rejected the user will continue to receive email notifications about this user client activity Note You can filter the Pending Requests list in order to ret
194. e role of the Console User e Admin This role has full control over all the management features of ObserveIT An Administrator can make changes to the ObservelT configuration and is allowed to view all session recordings e View Only Admin This role can view session recordings but cannot gain access to any ObservelT configuration option e Config Admin This role can see all users and their permissions but can create or delete only Config Admin users Config Admin users are unable to view session recordings By default the Allow access to All Servers group check box is selected for new Console Users which allows them access to all the deployed ObservelT Servers If required you can clear the check box and then manually grant the Console User the appropriate access rights to either single ObservelT Servers or to Server Groups 1 Enter the user s email address in the Email field and click Add The email address will be added to the list 2 Repeat the above step for each email address you want to add Copyright 2015 ObservelT All rights reserved Console Users Note To remove an email address from the list select it and click Remove 7 When you have finished configuring the new user click Add If required you can repeat this procedure to add another user 8 Click Close to close the Add Console User dialog box The new user is added to the list in the Console Users page A message is displayed at the top o
195. e sufficient write to file on permissions to write a log file Rule Engine Code Event Name Category Severity Description 1322 Rule Engine Service is not Functionality High The Rule Engine Service was working properly unable to create alert rules Perhaps the service was terminated or was configured incorrectly Restart the service go to Start gt Services 1323 Rule Engine Service is OK Functionality Low The Rule Engine Service is working properly 1329 Rule Engine Service has Functionality Low The Rule Engine Service has started started 1330 Rule Engine Service has Functionality High The Rule Engine Service has stopped stopped Restart the service go to Start gt Services Storage Threshold Event Name Category Severity Description Storage threshold has Data Loss Medium The storage threshold has reached its limit reached its configured limit Additional storage should be configured Allocated storage space Data Loss High The maximum allocated storage has reached its limit space has reached its configured limit To prevent screen capture data loss additional storage space must be configured immediately 176 Copyright 2015 ObservelT All rights reserved Viewing System Events System Events In the System Events list you can view the names and severities of all generated system events with the newest events at the top organized by date time and color coded per severity level
196. e user after SMTP settings are configured see SMTP Configuration and a recipient email address is configured see Receiving Alert Notifications by Email To create a new archive database on the existing server 1 Inthe Active Archive Database section click the Add New Archive Database button Copyright 2015 ObservelT All rights reserved 245 ObservelT Configuration Guide The New Archive Database dialog box opens New Archive Database SQL Server New archive database name ObservelT_Archive_ Database username Database password Generate Script Create New Archive Database 2 Enter user credentials username and password for the current database Note If you do not have the correct SQL server dbcreator permissions click the Generate Script button to generate an SQL server script that may be run remotely on the target SQL server by a database administrator with permissions to create a new database on the current database server Show Recycle Query pg Copy the query and execute in sql query tool exec Observell dbo SvkArchive_RecycleArchive 3 Click Create New Archive Database 246 Copyright 2015 ObservelT All rights reserved Archiving Information Note An archive job always uses the most recently created archive database As soon as the new archive database is created by the SQL Server administrator ObservelT will begin using it The previously used archive database will be displayed in the
197. e who gets notified by email and at what frequency Editing and Duplicating Alert Rules Edit and duplicate alert rules as required Deleting Alert Rules Delete alert rules that are no longer required Viewing Alert Rules In the Activity Alert Rules page you can view and manage all the currently configured alert rules To view alert rules 1 Navigate to Configuration gt Alerts Copyright 2015 ObservelT All rights reserved 135 ObservelT Configuration Guide The Activity Alert Rules tab opens by default in List view which is the default mode Admin Dashboard Console Users Identification Servers Server Groups Server Policies Security Alerts System Events Identity Theft Detection Messages Ticket Integration License SMTP Settings Monitor Log LDAP Settings Storage Archive Saved Sessions Audit System Log Latest Sessions W2K8 S8 QA0 admini Quick Help Installation Guide User Guide Configuration Guide Server Diary User Diary DBA Activity Activity Alerts Activity Alert Rules Alert Notification Policies Manage Alert Rules Create New Alert Rule Status All x More Filters Configuration Search Reports Threat Detection Severity All Show 1 17 of 17 Alert Rule Name SAMPLE Access from outside the organization SAMPLE After hours access to sensitive servers SAMPLE Unix User trying to remove a sensitiv
198. each audit entry the following information is displayed Copyright 2015 ObservelT All rights reserved I _ Click to view the exact configuration details that were made for the entry The time that the action occurred that is the change was made The Console User that was logged in to the Web Console The Client IP address of the user that performed the action The Area in the Web Console that was changed The Item in the Area on which the configuration was changed For example LDAP Target Domain Default Windows based Policy and so on The action that was performed on the configured item For example Changed Removed Added 261 ObservelT Configuration Guide Using Hotkeys ObservelT allows you to access the following features by using the F11 and F12 hotkeys e F11 enables you to create Sticky Notes which can be attached to resources and applications on the monitored servers e F12 enables the use of context sensitive searches through the database You can attach Sticky Notes at any point in a program dialog or configuration setting to provide specific information about what to do or NOT to do for that situation The Sticky Note will appear whenever anyone accesses that resource or application in the future Sticky Notes can be created for virtually any application or application property sheet as long as the application s window title is unique Note Sticky Notes will not prevent the user from continuing with th
199. eat Detection Server Policies Admin Dashboard Console Users Server Policy Templates Identification Windows based computer policies Servers Server Groups os Name Install Parameter View Server Policies Default Windows based Policy B0899050 0900 9805 8050 a9ees9eea00 Servers 1 Security Alerts System Events Identity Theft Detection Default Metadata Only Policy 88099000 0990 9000 8000 saeeageecee1 Servers 0 4 Default Unix based Policy 80898008 2900 9803 8000 a9ee008e0082 Servers 0 Default Recording Disabled Policy B0GS9058 0900 9803 8050 a0ees0800082 Servers 0 feSeee2 b6e9 46F3 99 9 22F1d5e93b56 Servers 0 Messages Ticket Integration EERE esec3fe2 6695 4fbb 878d b369f529edb1 Servers 0 Linking Servers to Server Policies By default all the Servers or Agents are automatically configured by one of Default Server Policies either the Windows based Policy or the Unix based Policy You can change this and link Servers or Server Groups to a different Server Policy Template Note Only one Server Policy Template can be linked to a Server at any given time If a different Server Policy Template is linked to the same Server the previous Server Policy Template will be unlinked from the Server immediately and the new Server Policy Template will be linked to it instead There are two ways of linking a Server to a Server Policy Template 1 From the Server Policy Templates li
200. ecorded metadata image pointers and configuration settings It is important to properly monitor the database site and its health You can use any number of well known procedures and monitoring tools to do this however it is beyond the scope of this document to deal with SQL management and monitoring best practices and tools The ObservelIT Web Console provides important information about the current status of the ObservelT database server including identifying whether the system is using the SQL database or the file system for screen capture storage To view information about the currently configured database storage 1 Navigate to Configuration gt Storage Copyright 2015 ObservelT All rights reserved 227 ObservelT Configuration Guide 2 Click the Database Server tab Identification Server Diary User Diary DBA Activity Activity Alerts Configuration Search Reports Threat Detection Database Server Screen Capture Data Servers stats Admin Dashboard Console Users Database Information Database type SQL Server Servers Database Server name WIN 459707VGBK2 Server Groups Connection account SQL User Server Policies Security Alerts System Events Identity Theft Detection Current DB size 2 26 GB Low DB space notification Not Configured Number of Database Servers 1 Number of Database users 1 Screen capture data stored in SQL Server Messages Ticket Integration License SMTP Settings Mo
201. ect the domain name and type the user s Login name Click the Add button Repeat this step for each user you want to include The specified users are displayed in the list Note The Domain drop down list displays all the domains in the Active Directory forest in which the ObservelT Application Server is a member You can select to select all domains Or 3 From the Include drop down list select Group select the domain name from the Domain drop down list and type the Group Name Click the Add button Repeat this step for each group you want to include Copyright 2015 ObservelT All rights reserved 97 ObservelT Configuration Guide 4 If you want to allow textual metadata to be recorded for any user even though visual data will only be available for specific users select the Record metadata for all users check box This option is only available if there are one or more users groups in the Include list Note You can remove users groups from the list by selecting them and clicking the Remove button 5 Click Save to save the changes Setting changes will take effect on new user sessions after the current sessions are closed Application Recording Policy Note This feature is supported only on Windows based server policies By default ObservelT is configured to record all the applications that are used by users that log on to any monitored computer The list of applications is dynamically generated which means that wh
202. ed Agents Admin Dashboard In the Agents portal of the Admin Dashboard you can view the statuses of Agent groups This enables you to easily identify problematic Agents in the system whether any have incurred tampering or data loss for example From the Agents portal you can drill down to examine further details about the Agents including operational statuses and system events in order to identify the causes and respond accordingly Each row in the Agents list represents an Agent group and displays the name of the group and number of Agents in the group as well as status and error information To view Agent status 1 2 3 In the Agents portal view a list of Agent groups the number of Agents in each group colored coded statuses red when with errors orange when unreachable disabled green when OK and so on and the number of Agents with errors When any of the Agents in a particular Agent group have been tampered with and or have experienced data loss in the past 7 days the relevant row is marked with the Tampered With A icon and or Data Loss icon When tampering has occurred the relevant Agent group row is shaded orange as well for easy identification Place the mouse over the relevant icon 44 or to viewa tooltip indicating the date of the last occurrence of tampering or data loss For example Group Agents Status Error All Servers A 6 62 E Tampering occurred during the past 7 days last o
203. ed field relevant operator and specify value s for each condition that you want to define as described in the following table 156 Copyright 2015 ObservelT All rights reserved Activity Alerts Options for Defining the On Which Computer Conditions Computer domain name is LOCAL DB DomainA FIN is not contains does not contain starts with does not start with ends with does not end with is empty is not empty ObservelT server group Windows GroupA Unix name Computer IP address IP address Same as Same as above 101 100 100 10 1 20061 1 100 100 10 1 200 61 Agent version number e is not e is higher than e is lower than Copyright 2015 ObservelT All rights reserved 157 ObservelT Configuration Guide Defining the When Conditions In the When section of the Create Alert Rule page you can define or edit what day and or at what time the suspicious activity occurred To define the When conditions ony dian O When O 1 Open the When section by clicking or the Edit icon DBA Activity User Diary Server Diary Activity Alert Rules Create Alert Rule N Alert Rule Details Name Description Notification policy Select Notification i Who E Did What On Which Computer When Time of day v is after and Day of week v is not From Which Client Alert Notification Policies Activity Alerts v v Threat Detection
204. ed the ticket you can easily review the exact actions performed by administrators in the context of the ticket The following types of ticketing systems can be integrated with ObservelT Built in ticketing systems are provided by ObservelT as out of the box integrations ServiceNow is currently supported Customized ticketing systems are implemented by customers according to their own requirements Note ObservelT provides API instructions to help customers build a Web Service that will enable them to implement the integration of ObservelT with their own ticketing system The ObservelT installation package includes a template project as an example of a Web Service that was created by ObservelT to demonstrate how the customer Web Service should be built For further details see the ObservelT Ticketing Integration Guide Overview of the IT Ticketing System Integration Process with ObservelT 1 202 An IT administrator remote vendor logs on to an ObserveIT monitored server or workstation by entering their credentials in the regular Windows Authentication log on screen Note If ObservelT s Identification Services are enabled and configured users will be required to identify themselves with a secondary ObservelT log on prompt For further details see Identification Services Copyright 2015 ObservelT All rights reserved Ticketing System Integration 2 Before the user can access the requested server a message is displayed pro
205. eir action and actually performing the task to which the Sticky Note was attached To prevent users from performing harmful actions you must use the built in Windows permissions and user rights mechanism Note ObservelT also allows you to create more advanced messages that will be displayed for users logging on to monitored servers The Context Sensitive Search feature allows you to easily search for the resource you are currently accessing By default these hotkeys are disabled To use the hotkeys you must first enable the hotkeys status You can do this manually per server or Agent or by using Server Policies to configure many servers or Agents simultaneously For instructions on how to enable the use of hotkeys using Server Policies see Enabling Hotkeys m System Policy Enable recording Enable Identity Theft Detection Enable API Show tray icon Y Restrict to RDP Enable hotkeys tn M See the following topics e Sticky Notes e Context Sensitive Search 262 Copyright 2015 ObservelT All rights reserved Using Hotkeys Sticky Notes ObservelT constantly monitors the resources and applications accessed by users on the monitored servers Sticky Notes can be attached at any point in a program dialog or configuration setting to provide specific information about what to do or NOT to do in that situation The Sticky Note will appear whenever anyone accesses that resource or application in the future Th
206. elT role permissions on the ObservelT database To delete data using SQL Server authentication provide credentials of a SQL Server login with db_owner role permissions on the ObservelT database Sa Saving the Job Schedule 1 When you have finished defining the archive job schedule save it by clicking the Save Schedule button The page displays information about the job status Active or Disabled when the job is next scheduled to run and the number of sessions and screenshots that will be processed in each instance schedule Archive Save Schedule Schedule Status and Information Enabled Status Previous Running Date Next Running Date Sessions to Archive Screenshots to Archive schedule created on 242 M Fending 2 1 2014 1 00 PM Data older than 11 1 2013 12 00 AM will be affected Current DB time is 1 26 2014 4 18 51 PM 36 4616 1 26 2014 4 18 PM Copyright 2015 ObservelT All rights reserved Archiving Information 2 After the job schedule starts the job status will switch to Running and the sessions will be copied to the archive storage After all the sessions have been copied they will be deleted from the production database file system storage schedule Archive save schedule Schedule Status and Information Enabled m Status Running Copy to Archive 6 Previous Running Date Next Running Date 2 1 2014 1 00 PM Data older than 11 4 2013 12 00 A
207. ember OF Managed By General Members Member oF Managed By Members Members Active Directory Folder oit demo local Groups oit demo local Groups oit demo local Groups Cancel 4 Ifyou want to configure the ObservelT Identification Service to allow access to all Active Directory groups except those in the Exclude list 1 Select Enable all groups from this Active Directory domain 2 In Exclude Group enter the domain name of the Active Directory group that you want to exclude from the Identification Service or select it from the list of all the domains in the Active Directory forest in which the ObserveIT Application Server is a member Note ObservelT easily integrates with your Active Directory forest enabling you to use user and group objects from any domain in the forest in which the ObservelIT server side components are installed and in which the ObservelIT Agents are deployed if different Cross forest trusts can also be used Although using groups from Active directory domains is possible with any group scope domain local global or universal it is recommended that you follow Microsoft s best practices on group object usage For further details refer to Active Directory Best Practices Copyright 2015 ObservelT All rights reserved 47 ObservelT Configuration Guide 3 Enter the group name that you want to exclude in this case no oit logon and click Add Active Directory Groups No
208. en a user loads an application for the first time it will be registered in the applications list However if you do not want to record all the applications that are used ObservelT lets you configure a recording policy that specifies which applications to include or exclude from being recorded You can also configure a recording policy to record just metadata for applications in which case no video will be captured You can configure an application recording policy manually per server Agent from the Configuration gt Servers page or by using Server Group Policies to configure many servers Agents simultaneously To configure an application recording policy using Server Policies 1 Inthe Configuration gt Server Policies page click Create or select a server policy template Windows based policy 98 Copyright 2015 ObservelT All rights reserved Configuring Server Policy Settings 2 Inthe Application Recording Policy section of the Server Policy Template page you can select options for creating an application recording policy Application Recording Policy Record all applications To de activate recording video amp metadata for a specific application please select the process name from the list and click Add You can add multiple applications to this list Exclude Internet Explorer iexplore y Add Exclude URL Exact Match Add Remove Also Record metadata for Exclude applications No video wil
209. ent from the Configuration gt Servers page or by using Server Group Policies to configure many servers Agents simultaneously To disable the Agent recording status using Server Policies 1 Inthe Configuration gt Server Policies page click Create or select a server policy template default Windows based or Unix based policy 2 Inthe System Policy section of the Server Policy Template page clear the Enable recording check box By default this check box is enabled to allow recording at the start of every session Server Policy Template Back to Server Policy Templates Linked Servers Cancel Save Name Default Windows based Policy System Policy Enable recording Enable Identity Theft Detection Ly Enable API Show tray icon Restrict to RDP Enable hotkeys Enable key logging Optimize screen capture data size i Enable recording notification 2 All activity on this machine is record i efault Set image format Grayscale Server Compression v Set session timeout minutes 15 v Set keyboard frequency Low v Set continuous recording seconds OFF Y 3 Click Save to save the changes Setting changes will take effect on new user sessions after the current sessions are closed Enabling Identity Theft Detection Note This feature is supported on Windows based and Unix based server policies When an Identity Theft Detection policy is configured in ObservelT users who ar
210. equired corrective action For example if the service is not working properly then you need to restart the service For further details about system events and event types and some possible causes and solutions see Viewing System Events and Event Types Refreshing the Admin Dashboard You can refresh the data displayed in the Admin Dashboard manually or automatically To manually refresh the Admin Dashboard e On the info bar on the upper right of the Admin Dashboard click the Refresh button The data in the Admin Dashboard is updated and the Updated field displays the refresh date and time To automatically refresh the Admin Dashboard e On the info bar on the upper right of the Admin Dashboard click ON the Auto refresh button and choose an option from the drop down list to automatically refresh the page every 5 10 or 15 minutes The data in the Admin Dashboard is updated per the set time interval and the Updated field displays the refresh date and time Copyright 2015 ObservelT All rights reserved 29 ObservelT Configuration Guide Console Users ObservelT administrators are also known as Console Users Console Users can log on to the ObservelIT Web Console and view recorded sessions and other information as well as make configuration changes based upon their role There are three types of Console User roles e The Admin role has the highest permissions with full control over all the management features of
211. er must re enter their credentials The ObservelT log on screen or identification prompt is not configured to entirely prevent access to the system by design since the user has successfully logged on to the system the user s identity was already granted the appropriate security token This means that while the secondary authentication ObservelT log on screen prompt is still open waiting for the user s input the user may be able to press a combination of keys in order to invoke the Task Manager From the Task Manager the user may execute other applications Windows Task Manager Ioj x File Options View Help Applications Processes Performance Networking Users o0 userinit exe Administrator 3 048 K Secondary Identification Login 5 7 1 0 rdpclip exe Administrator 00 3 364 K _ VMwareTray exe Administrator 00 5 108 K j N CSrS5 exe SYSTEM oo 3 704 K b it taskmar exe Administrator 00 6 976 K O S Q Ve i 0 winlogon exe SYSTEM o0 3 376 K H ntification Servi ctfmon exe Administrator 00 2 888 K dentification Service explorer exe Administrator oo 12 268 K f fi rcdcl exe Administrator 00 7 132 K redcp exe Administrator 00 3 068 K Ci Anihia as Ciel oie obsdev administrator J Show processes from all users STs All activity on this machine is recorded s __End Process and monitored Ts Create New Task 21x rocesses 50 Internet resource and Windows will open it for you Open regedit v
212. er policies only Recording in Basic or Extended Mode On Unix Linux based operating systems the ObservelT Agent records e All interactive shell logins to the system whether via SSH Telnet or local console e Each command line activity on the system e Every activity displaying screen output is visually recorded e System functions that were executed by commands or scripts that were executed by the user Recording on Unix Linux based operating systems can be handled in two modes e Basic mode is used to record commands and terminal output This is the default mode e Extended mode is used to record all system functions metadata in addition to commands and terminal output It is recommended that you select this option only if you require detailed inspection of system functions performed by executables as a large volume of system function data can create heavy load on the Application Server To reduce the load of system function data you can select just the specific functions that you want to record In the ObserveIT Web Console you can configure the recording mode manually per server Agent from the Configuration gt Servers page or by using Server Group Policies to configure many servers Agents simultaneously To configure the recording mode using Server Policies 1 Inthe Configuration gt Server Policies page click Create or select a server policy template Unix based policy 2 Inthe Data Recording Policy section of the
213. erec HON ienen a a a E ER 185 C onnournne Farine KRCGUCSIS nieeireisridrani ana T E E T 187 Connourme Identity rheit oetHAZS serenan ieii E A doatesetesauies Sanotiieuoncnsens 189 Manac ine MESSI CCS onran E ra rS 192 Crea Une WICSSA E coriaria n a a a a a N 193 ES MOSSA ES ana R Er EAr EEE EE 197 Viewin IVICSSAR CS uiia a a a E E 197 Deleting Messages is sissiocdassab aota ha e e a E A aE R EEEE E Ea ES EA AE 200 Disa bli Messa San anae rA inate EA A E A E EAE A E erate 200 Acknowledging and Replying to Messages seoan enoa EE e ETE E E meine 201 TreKe tin Sy Stems Megrun E teatitaesho yess Gases sdetosts lesa oshaauteatbadduaesutoernacas 202 Cont eurine Tickenne TOW CCS iss j seis sttecend tiara tcaase ada E N 205 Con Surin Ticketing Systeme onnenn E E E E 209 SMP Concur oi aer a n E R T E E E 211 Copyright 2015 ObservelT All rights reserved Contents Montornne Lop Ti CS cc ccrdscoscietssn ctctonacsunisareticenaseunte anol Monascttvenaatadanasaunee OEO 212 Monitoring Observel LOGS iasisssssriee spoaiiesendiontaounioiceassenrdatpaiesaSeasunnsamsiesa sa svacah sive svadimssenvolosseeasioandaieiuts 212 Integrating Loesinto SIEM SyS teM S nonsen nastiness namin ah arenes 215 LDAP SebIn es COMM Stir atl OL eaire aaan Ea E stil NE AE EEEE N EA TOES 218 Automatic LDAP Targets and Adding Domains seseeeesesseseesererrsrrsresrersrrsresresrersrrsresresrersersresresrenes 220 Adding Manual LDAP Parc C05 csistactsates hereon aa ar EA E E E
214. erify Manual LDAP Target LDAP targets can be used to authenticate users for 2 purposes Console Users and Identification Services LDAP Properties LDAP mail field name mail eee LDAP Targets List You are using secure LDAP LDAP Path Domain Name User Name Alias Type Created Date LDAP DC OBSERV OBSERVEIT SYS LOCAL guy OBSERVEIT SYS Auto 9 9 2012 Delete Copyright 2015 ObservelT All rights reserved 219 ObservelT Configuration Guide Note ObservelT also supports secured SSL communication to Active Directory via LDAP When LDAPS is configured all communication via Active Directory will be encrypted An indication will be displayed in the LDAP Settings page as shown in the above screenshot After an LDAP connection is properly established the domain appears in two locations e Configuration gt Console Users page where you can create and configure additional ObserveIT Console Users that can administer ObservelT or that can be used to view recorded sessions For further details see Console Users e Configuration gt Identification page where you can configure users that are required to identify themselves with a secondary ObservelIT logon whenever they log on to any ObservelT monitored server For further details see Configuring Active Directory Identification Targets From the Configuration gt LDAP Settings page of the Web Console you can configure automatic and manual LDAP targets and c
215. ervelT Application succeeded on Server successfully saved recorded data on the file system Database Server Events Event Name Category Description 1425 Some data was not Data Loss High Screenshot data and or Unix recorded in the database commands failed to be saved to the ObservelIT Data database Check the accessibility to this database Copyright 2015 ObservelT All rights reserved 173 ObservelT Configuration Guide Health Monitoring Service Events Code Event Name Severity Description 1324 Health Monitoring Service Functionality High The Health Monitoring Service is is not working properly not working properly Perhaps the service was terminated or was configured incorrectly When this occurs the Admin Dashboard will not display updated data To resolve this restart the Health Monitoring Service go to Start gt Services 1325 Health Monitoring Service Functionality Low The Health Monitoring Service is is OK OK 1327 Health Monitoring Service Functionality Low The Health Monitoring Service has started has started 1328 Health Monitoring Service Functionality Low The Health Monitoring Service has stopped has stopped Identity Theft Events Event Name Category Severity Description Login from paired client Identity Theft A user logged in from a paired client machine This user client pair is approved Secondary login from Identity Theft A user logged in via ObservelT pai
216. erver is minimal for example weekends nights It is also recommended to schedule the archive so that each archive does not contain too much data that is it is better to schedule a periodic archive than to archive a whole year at once Configuring Database Archive Storage A new ObservelIT archive database is created when the current live database size reaches it maximum allocated storage ObservelT s archive storage feature enables you to e View detailed information about the currently active archive database and the sessions that are stored in it e Define a threshold that will trigger a system event if the archive database reaches its maximum allocated storage Copyright 2015 ObservelT All rights reserved 235 ObservelT Configuration Guide Create a new archive database if the current archive database size exceeds its maximum allocated storage View previous data storage archive locations Configuring File System Archive Storage When the file system is used to store the screen image data ObservelT s file system archive storage feature enables you to View detailed information about the current screen capture archive data storage Define a threshold that will trigger a system event if the specified file system archive file reaches its maximum allocated storage Note that if the system event is ignored after the maximum allocated storage is reached you may experience screen capture data loss Define new file
217. ervers When Session Data Integrity is enabled a CS warning icon will appear next to the Slides number in the Server User Diary Server Groups indicating the session data was tampered with Server Policies U Enable Session Data Integrity Security Alerts App Server Name ID Image Security Installation Security Last Updated System Events W2K8 S8 D02 bf36813f efd3 40d47 b873 cd1278ba3ae On Off 1 13 2015 Identity Theft Detection 2 Click the relevant Application Server Name The Application Server dialog box opens it ObservelT Admin Server Details Google Chrome Eh aA 5 10 3 0 59 4884 ObservelT AdminApplicationServerDetails aspx lang Application Server W2K8 S8 D02 5 8 0 0 If the Application Server Name was changed on the actual computer My Computer gt Properties you will also need to rename it here to reflect the actual computer name Application Server new name W2K8 S8 D02 Is Application Server Monitored ri 3 Inthe Application Server new name field type the new name 4 Click Update The new server name appears in the Application Servers list in the Configuration gt Security page 104 Copyright 2015 ObservelT All rights reserved Implementing Security Enabling Image Security When Image Security is enabled the ObserveIT Application Server uses a PKI based mechanism to encrypt and digitally sign all session data Note There may be some performance impact issues and database si
218. eseeses 38 Steps for Configuring ObservelT Identification Services cece eeseeseeseceeceseeeseessseseseeeseeseaeeeaeens 38 Enabling Secondary Identification for Linux Unix Policies eee cece ceecseeeseeeseeeeeeeeeeees 39 Conhievirine Forced dentiiCatOn USCrS eresien r E A TEE E rE 40 Configuring Active Directory Identification Targets eeeseseeessererersersersresrerrersrrsresresrersrrsresreseenes 45 Contieurine Active Directory Garou ps sanies n A a A E S 46 Contigurnne Local Observell Identification Users iis sas opis nisnisks asiwshsdelentste AEA E ene teteees 49 Forced Identitication User Los iienini ieri ennn E E A A E EOR 51 Preventing Windows Users from Bypassing the ObservelT Identification Prompt 53 DICE e E EE E E E T E E E E E A E dude agate teak E 55 VIEWING DOLV CUS a E N A N E NA 55 Pileri OT V OSa E E AN 57 Retain SCLV CIS aatetahasairan isha E E te Manhattan tanh Onna ceeacans 58 MITC CI STCELIN GS SOT VOUS osu c ian sosalea eps N ated sii iasvoe a ee sa see eeas eam noenmieces 60 Unilinkins a Server Policy Onr Servers isos E E R adn 61 CODMSUTING Server Seth SS sisaus oceans weckle odvesiaspaaiasactecsan N meet 62 BCE V CE GE OU o hte A estar E E E TE EE E stn a Gow E 63 Creatine DOGV EE G TOUD S wrecker cece E E ETEA AEE EEE 64 Modifyine Members m Server Groups iirnoiinri nn aE a EA A A A TAA R 64 Dee o e O aa a N E A 66 Serer PONCII CS ciori ea a one totanndacjuneallabentedeacooettedss 67 Creatine Server POM C
219. eselect the All Servers check box and then manually grant the user the appropriate access rights to either single ObservelT Servers or to Server Groups For example you might want to configure a specific Console User to only view recorded sessions on five individual SharePoint servers and to restrict a different Console User to view recorded sessions on only three different SQL servers Configuration Console Users Admin Dashboard User Permissions for user daniel Console Users Identification Back to Console Users Servers Servers Server Groups Add at least one Server or at least one Server Group to grant permissions for this Console User This list cannot be left empty Server Policies Security Note Adding the All Servers group will grant access to all monitored servers Alerts Server System Events Servers Groups All Servers v Add Identity Theft Detection Name Type Version Status Date E All Servers Messages Ticket Integration License SMTP Settings Monitor Log LDAP Settings Check All Clear All Storage Archive The Console User will be able to view recordings of sessions made by these users Saved Sessions Audit Enter username s that you permit this Console User to view their recorded sessions Use DomainName UserName i e OBSERVEITidanielp System Log Alternatively you can browse for a user Note By not listing any user acces
220. espond accordingly The following color coded severity levels operational statuses appear in the ObserveIT Web Console Color Severity Level Operational Status eee Status Status fal Low Administrative Unregistered Uninstalled Gray N A Not Available relevant for older Agent versions lower than 5 8 which have unknown or unavailable statuses The following icons appear in the Admin Dashboard and throughout the ObserveIT Web Console tm min O Agents that have errors Tampered With Agents that have been tampered with The row in which this icon appears in the Agents portal is shaded orange as well Note that the shade of orange on this icon varies per how recently the tampering has occurred Tampering occurred today darkest orange Tampering occurred within that past 2 3 days medium orange ia Tampering occurred earlier in the week lightest orange Installed Agents that have been installed Uninstalled Agents that have been uninstalled Installed Uninstalled Relevant only for the mini Admin Dashboard Agents that have been installed and uninstalled LE Data Loss Agents which have incurred data loss Note that the shade of blue on this icon varies per how recently the data loss has occurred Data loss occurred today darkest blue Data loss occurred within that past 2 3 days medium blue Data loss occurred earlier in the week lightest blue LS 14 Copyright 2015 ObservelT All rights reserv
221. ession W2K8 S8 D02 278 12 1 6 2015 1 11 2015 The following information is displayed for each server in the list Name of the recorded server Size of the server s recorded data number of slides Total number of sessions in the server Dates of the first and last session recorded for the server Copyright 2015 ObservelT All rights reserved 233 ObservelT Configuration Guide Note The date of the first sessions in the database may be later than what you would expect from the database actual age For example if the ObservelT database was installed on the 1st of January 2014 and an archiving job was run on the Ist of October archiving all sessions older than the past month the First Session parameter will show the 1st of September To find these sessions navigate to the Configuration gt Archive gt Diary tab Important Notes e The more sessions a server has the more data it uses Considerations must be taken when dealing with very large database sizes and proper SQL tuning needs to be performed in order not to reduce the overall server performance e Some versions of SQL Express are limited in database size and will only hold a database no larger than 4 GB When using SQL Express take that limit into consideration e By default ObservelIT never deletes data from the database however you can use the Archive tab to remove or archive old server data See Archiving Information e When archiving is used the databa
222. f the page confirming that the new user was added successfully Configuration Console Users Admin Dashboard Console Users Console Users Identification ObservelT Authentication michelle added successfully Servers Server Groups Add AD Group Server Policies 1 30f3 1 Security Alerts Name Reports Authentication Permissions Create Date Delete a Admin Reports ObservelT Authentication 10 27 2008 System Events Identity Theft Detection daniel Reports ObservelT Authentication Permissions 3 2 2014 michelle Reports ObservelT Authentication Permissions 3 2 2014 Messages To update the details of an existing Console User 1 Inthe Console Users list click the name of the user whose details you want to update The Edit Console User dialog box opens 2 Inthe Edit Console User dialog box you can change the Role and or the email address for the Console User Note You cannot edit the user s credentials or Authentication method 3 Click the Update button A message is displayed at the top of the Console Users page confirming that the user was updated successfully To delete a Console User e Inthe Console Users page click the Delete link next to the user you want to delete from the Console Users list Note the following 1 Deleting Console Users does not result in any data loss to the recorded sessions but this action cannot be reversed If you need to create the Console User after you have deleted
223. f4 bOd3 amp SSID fecky Home Hd hendis f0c4af87 e766 Speed A 47bd a116 5d9a1358891d amp DisplayOnAir false amp lang en User Activities List Program Manager ObservelTServer 5 7 Programs and Featu Start menu Computer Managem Start menu Share and Storage Start menu Control Panel Manage Accounts Windows Help and S Manage Accounts ObservelT Login Pa localhost 4884 Obs ObservelT Login Pa Welcome to Facebo Facebook Google C 12 14 15 PM 12 14 17 PM 12 14 20 PM 12 14 26 PM 12 14 42 PM 12 15 06 PM 12 15 26 PM 12 15 34 PM 12 15 43 PM 12 15 47 PM 12 15 55 PM 12 15 59 PM 12 16 03 PM 12 16 13 PM 12 16 18 PM 12 16 26 PM 12 16 45 PM 52 PM Browsing SETTINGS pages 1 Sy For further details about viewing alerts in the Session Player see Viewing Alerts in the Session s Video For further details about how to use the ObservelT Session Player see Windows Session Player or Unix Session Player in the User Guide Note You can print the Alerts list and or export it to Excel see Printing and Exporting Alerts Alerts can be deleted ONLY by ObserveIT Administrators see Deleting Alerts Copyright 2015 ObservelT All rights reserved 125 ObservelT Configuration Guide Flagging Alerts for Follow Up Flagging an alert enables you to highlight an event that requires further attention After flagging an alert it
224. failed without a security password or for unknown reasons Try to uninstall again and or contact technical support The Agent was successfully uninstalled with a security password The Agent was successfully uninstalled without a security password The Agent was unregistered and was removed from the license Copyright 2015 ObservelT All rights reserved System Events Application Server Events Code Event Name Category Severity Description 1301 Application Server isnot Functionality High The ObservelT Application working properly Server is not working properly No reply is received when a keepalive request is sent and the Application Server pool is down Restart the IS to restart the Application Server 1304 Application Server is Functionality Low The ObservelT Application running Server has resumed operations 1310 Application Server Communicati Low The ObservelT Application successfully saved on Server successfully saved recorded data recorded data 1311 Application Server unable Communicati High The ObservelT Application to save recorded data on Server failed to save recorded data to the database Check the SOL server 1403 Writing data to file system Communicati High The ObservelT Application failed on Server failed to save recorded data on the file system Check read write permissions on the file system path 1404 Writing data to file system Communicati Low The Obs
225. fline viewing is particularly useful when the person who is viewing the recording does not have access permissions or the possibility to use the online Session Player Saved sessions can be viewed by anyone with access to the zipped file containing the saved session Note Saving sessions for offline viewing does not affect the actual saved session and data is still retained in the ObservelIT database To save a session for offline viewing 1 Navigate to Configuration gt Saved Sessions 2 Inthe Server Diary User Diary or Search or Report result open the Session Player for the required Windows session and click the Save ey icon The Save Session dialog box opens For further details see Windows Session Player in the User Guide 3 In the Save Session dialog box select the slides that you want to include in the saved session You can save the entire recording All slides or select individual slides or a range of slides for example 1 10 15 18 22 E Observer Session Player Windows Internet Explorer a m amp i E COAT ihe F o aje hore e Le a Al cotiedy un thee mentenw rs turk ood ceria ica Stra oN de enna AT ispa Pra User Activities List E _ EN Window Title Is Unavailable 8 14 20 AM Microsoft SQL Server Man 8 14 20 AM Pecore an Replay Winteas amp Unix Sessioris WindowTitle Is Unavailable 8 14 27 AM Untitled Google Chrome 8 14 29 AM ObservelT Server Diary 8 14 58 AM O
226. for Triggering Alerts 8 When you have finished editing your alert rule click Save to save your settings The updated alert rule is displayed in the Activity Alert Rules page To duplicate an alert rule 1 Inthe Alert Rules list click the Duplicate link next to the relevant alert rule SAMPLE After hours access to sensitive servers Inactive 12 29 2014 Admin Duplicate Delete The Edit Alert Rule page opens with a new alert rule initialized to the exact content of the selected item named Copy of lt selected alert rule name gt 2 Proceed with steps 2 8 above to edit the duplicated rule as required Deleting Alert Rules ObservelT administrators can delete alert rules that are no longer relevant they may have been created for demo or training purposes and are no longer required Note Only an ObservelIT administrator can delete alert rules that is not any user with administrative permissions To delete an alert rule 1 Inthe Alert Rules list select the rule s you want to delete and click the adjacent Delete link Access from outside the organization Active 1 3 2015 Admin Duplicate zi UW A confirmation dialog box opens 2 Click OK to confirm the deletion s The rule s are deleted and the Alert Rules list is refreshed Copyright 2015 ObservelT All rights reserved 165 ObservelT Configuration Guide Integrating Alerts in SIEM Products ObservelT alerts can be easily integrated into an organi
227. for the Console User in the Servers area select the server you want to remove and click Remove 3 To assign the Console User permissions to view the recorded sessions of specific users 1 In the User area enter the user login in the format Domain Username of the specific user and click Add The user is added to the list Repeat the above step for each user whose recordings you want to allow the Console User to view Note You can also allow the Console User to view sessions of users who do not have recorded sessions By not listing any user access is also permitted to users without recorded sessions To remove a specific user from the permission list of the Console User select the check box next to the user name and click Remove 4 Click Save to save your settings when you have finished assigning permissions on specific servers 36 groups of servers or individual users Copyright 2015 ObservelT All rights reserved Identification Services Identification Services Note The Identification Services feature is supported on Windows and Unix Linux Agents When multiple users have access to a generic account such as the default Administrator account it can be difficult even impossible to identify the actual person who is using the account By enabling and configuring ObservelT s Identification Services the system can be configured to require users that log on to the monitored servers to identify themselves
228. for the report If a report was never run before the Cached link will be disabled Remember You can always return to the reports creation wizard and add or remove columns add or change sort by options add or change filters and gradually generate the report you need by a trial and error process 272 Copyright 2015 ObservelT All rights reserved Managing Reports Scheduling Reports Reports can be scheduled to run at specific intervals This is useful when a report needs to be emailed to an administrator or security auditor Note To schedule an email report you must first configure the Console User with an SMTP email address You must also configure the ObserveIT Web Console to use an SMTP server To schedule a report 1 Inthe Report tab click the Schedule link next to the report that you want to schedule Reports Reports A Report List Latest Activities Installed Software Scheduled Reports for Console User A Servers Software Create New Custom Report Install Uninstall Sticky Notes Name Description Modified Custom Reports Latest Sessions All Remote Desktop Lists all Remote Desktop 01 11 09 admin Run Cached Schedule Copy Edit Delete MF W8SQ8 1 Admini Sessions in the past month Sessions in the past month Quick Help SAMPLE Admin related Administrative relatedtasks 28 10 09 admin Run Cached Schedule Copy Edit Delete tasks Past Week performed on monitored installation Guide servers Usage Gu
229. gt Archive 2 Click the Log tab The Log tab displays information about each archive job that was run For example you can see if a specific session in the production database was moved to the archive database by checking if it was within the specified date range of the archived sessions 250 Copyright 2015 ObservelT All rights reserved Server Diary User Diary DBA Activity Activity Alerts Weee Search Reports Threat Detection Schedule Storage Management Log Diary Search Admin Dashboard Archive Log Console Users Identification Servers Server Policies Status Start Time Duration Date Range Created Sessions Screenshots DB Name Action Security ae MM 19 2014 3 45PM 00 00 00 1 9 2014 1 11 2014 Admin ObservelT_Archive_1 Archive ers 5 X 1 9 2014 3 35 PM 00 00 00 1 9 2014 1 10 2014 Admin ObservelT_Archive_1 Archive System Events Identity Theft Detection 19 2014 3 29PM 00 00 00 1 9 2014 1 10 2014 Admin ObservelT_Archive_1 Archive Messages WZ 1 9 2014 9 22 AM 00 00 11 1 9 2014 1 10 2014 Admin 1 30 ObservelT_Archive_1 Archive Ticket Integration Wf 118 201412 19PM 00 00 04 1 8 2014 1 9 2014 Admin 1 46 ObservelT_Archive_1 Archive License X 1 8 2014 10 22AM 00 00 00 1 7 2014 1 8 2014 AdNY Obcervell Authentication Admin EtvelT_Archive_1 Archive SMTP Settings X 1 8 2014 9 40 AM 00 00 00 1 7 2014 1 8 2014 Admin ObservelT_Archive_1 Archive Monitor Log C 1 7120142 42PM_ 00 00 00 1 7 2014 1 8 2014 Admin ObservelT_Archive_1 Archive LDA
230. h Client localhost localdomain 127 0 0 1 View Details Watch Video 128 Copyright 2015 ObservelT All rights reserved Activity Alerts Example of Alert Digest Emails There are two types of alert digest emails e Daily Alert Digest email is sent at the designated time every 24 hours even if no alerts were generated in the prior 24 hours If no alerts occurred the subject remains the same showing 0 alerts and the body will contain only No alerts generated in the past 24 hours e Alert Digest email is sent every x minutes if new alerts were recently generated The Alert Digest email is sent only when at least one alert was generated since the last digest was sent and the specified number of minutes passed since the last digest email Activity Alert Summary High severity Alerts 432 UrlDomainNotEndWithCom 132 GTWen 1 happy hippo 60 Low severity Alerts 1 Load Test Rule 1 Load Test Complex Rule Activity Alert Details 10 of 567 shown here view all High severity Alerts 10 of 565 shown here UrlDomainNotEndWithCom Alert ID 10060230 Who observeit sys local lili On Which Computer OIT LILI When Monday 1 1 1753 12 00 AM From Which Client local 127 0 0 1 View Details Watch Video UrlDomainNotEndWithCom Alert ID 10060500 Who observeit sys local lili On Which Computer OIT LILI When Monday 1 1 1753 12 00 AM From Which Client local 127 0 0 1 View Details Watch Video Who none lili ObservelT_A
231. h Sunday I Monthly 1st day of each month Runat 3 00PM v StartDate Jan v 13 v 2015 E End Date Jan v 14 v 2016 Fa 3 Inthe Email Report To section in the Console User field type the relevant domain user name or click e to browse and select the user from the Console Users list Login Name ObservelT Authentication Admin Note To receive an email report this user must already have an SMTP email address 4 To add the user to the report schedule click Add The Console User is added to the email report list You can add multiple Console Users to the list and each of them will receive a copy of the report 5 To remove a Console User from this list select the check box next to the user you want to remove and click Remove If you click the Save Schedule button at this point the Console User s that were added will receive the report daily 274 Copyright 2015 ObservelT All rights reserved Managing Reports 6 Inthe Schedule Report section to schedule the report to run at a custom frequency or at a defined time range select the radio button next to the required frequency Daily Weekly Monthly 7 To configure Start End Dates for the scheduled report select the start and end dates 8 When finished click Save Schedule at the top of the page In the Reports List a schedule icon appears next to the report s name To remove a schedule 1 Inthe Reports List click
232. hange the default LDAP email field name if required See the following topics e Automatic LDAP Targets and Adding Domains e Adding Manual LDAP Targets e Deleting LDAP Targets e Changing the Default LDAP Email Field Name Automatic LDAP Targets and Adding Domains If the server on which the ObserveIT Application server is installed is a member of an Active Directory domain that Active Directory domain will be automatically added to the list of LDAP Targets and will be configured as an Automatic type LDAP Target There are two scenarios 1 The server was already a member of the domain when the ObservelIT setup program was executed When the ObservelT setup program determines that the server on which the ObservelIT Application server is installed is a member of an Active Directory domain the setup program automatically adds that domain to the list of LDAP Targets No further user action is required The domain will be listed in the LDAP Target List as an auto type LDAP Target 2 The server is made a member of the domain after the ObservelT installation If during the ObservelT installation the server on which the ObservelIT Application Server is installed is not a member of an Active Directory domain the setup program will perform any changes to the LDAP Target List However it may be possible that a change was made after the ObservelT installation and one on which the ObservelIT Application server is installed as a member
233. he slide to open the Session Player for replaying the video of the session on which an alert was generated Copyright 2015 ObservelT All rights reserved 133 ObservelT Configuration Guide Managing Alert Rules Alert rules define the conditions under which an alert will be triggered Alert rules are configured by ObservelT administrators according to conditions which could signify suspicious activity on monitored servers After defining an alert rule the administrator can configure an alert notification policy which defines whom should be notified when the alert is generated and how they will be notified Note The ObservelT installation package includes a list of sample alert rules which you can use as a basis to customize your own alert rules An alert rule comprises conditions that answer the following criteria e Who Who was logged in to the session when the alert was triggered e Did what What was the user doing when the alert was triggered e On which computer On which computer was the user logged in e When At what time was the alert triggered e From which client Which client computer was being used when the alert was triggered Managing and configuring alert rules is done from the Activity Alert Rules page in the ObservelT Web Console You can navigate to this page via Configuration gt Alerts gt Activity Alert Rules Server Diary User Diary DBA Activity Activity Alerts Configuration Search Report
234. hive the scheduled job data or delete the scheduled data from the database in order to release space in the archive database Deleted sessions will no longer be displayed in the Server User Diaries 6 Save the job schedule Enabling the Schedule Status 1 Navigate to Configuration gt Archive 2 Click the Schedule tab Copyright 2015 ObservelT All rights reserved 237 ObservelT Configuration Guide The Schedule Archive page opens By default the schedule status is Disabled Server Diary User Diary DBA Activity Activity Alerts MeL ELOLE Search Reports Threat Detection Storage Management Log Diary Search Admin Dashboard Console Users Schedule Archive identification Servers Schedule Status and Information Enabled Server Groups Server Policies Security Status Active Alerts Previous Running Date System Events Next Running Date 1 1 2015 1 00 PM Data older than 10 1 2014 12 00 AM will be affected tg UE ens Current DB time is 12 22 2014 3 33 31 PM Messages Sessions to Archive 0 Screenshots to Archive 0 Ticket Integration Schedule created on 12 22 2014 12 50 PM License SMTP Settings Date Range for archiving Monitor Log oe Older than 3 Month s v Data will be added to the current active archive database Storage Start Date End Date Date Range Dec 8_ 2014 Dec _ 15 v 2014 Note Cutoff time is always at m
235. ht 2015 ObservelT All rights reserved Admin Dashboard To drill down to examine Agents that have been tampered with e Inthe Agents portal click the Tampered With icon next to the relevant Agent group The Servers list opens filtered to display the Agent group members that have been tampered with in the last week Each row displays the tampered with group member marked by the A icon In the expanded details of the Agent group member the Status Details field displays Tampered With The colored severity bars indicate the event severity level for example Red High Admin Dashboard Console Users Identification Servers Server Groups Server Policies Security Alerts System Events Identity Theft Detection Messages Ticket Integration License SMTP Settings Monitor Log LDAP Settings Storage Archive Saved Sessions Audit System Log Server Diary User Diary Servers Servers Group Unix Servers El More Filters Server Policy AIl v OS Type All v Version All v Activities Tampered With 1 20f2 Server Name E u1204 32 1 A Server Policy Default Unix based Policy Status Details Tampered With OS Type Unix OS Version Ubuntu 1204 A deb600 64 3 Default Unix based Policy DBA Activity Activity Alerts Me EE Search Reports Threat Detection ov Server Name Agent Type OS Version Status Error All All Status Details All Version 5
236. https www li new page or nkedin com nho searches for me LinkedIn re 2 User goes to their profile https www li nkedin com pro file view id 888 88 amp trk nav_res ponsive_tab_pr ofile 3 User searches Google for linkedin https www g oogle co il webh p sourceid chr ome instant amp ion 1 amp espv 2 amp ie UTE 8 ie UTF 8 amp q linkedin amp s ourceid chrome psyapi2 152 Copyright 2015 ObservelT All rights reserved Activity Alerts How to Define an Executed SQL Command Statement The Executed SQL Command group option enables you to define a rule by running SQL statements containing specific keywords that you want to find This feature applies on Windows operating systems only Note SQL Server 2012 is not supported For example if you want to generate an alert on a user trying to access a list of credit cards in a customer s database you might specify the following SQL statement conditions Executed SQL Command Statement contains update drop AND Executed SQL Command Statement contains CREDIT_CARD How to Configure the Executed Command Group Options This topic provides details of usage and scenarios to help you understand how to configure the Did What field options in the Executed Command group Note These options are available on Unix operating systems only For general information about defining Did What conditions see Defining the Did What Conditions
237. ialog box that lets you configure specify a different threshold Low Disk Space Notification Settings Generate a system event when the disk contains more than 80 out ofthe allowed i 100 GB Cancel Select the check box Generate a system event when the disk contains more than Note To clear a system event clear this check box and click OK Specify the maximum disk space that you want to allocate for the screen capture data by entering values in the and GB fields Click OK A system event will be generated when the disk reaches the specified values If the event is ignored after the allocated disk space is reached you may experience screen capture data loss Note A message will be sent to the user after SMTP settings are configured and a recipient email address is configured see Configuring Email Notification Settings for Events Creating a New File System Location for Screen Capture Data Before the current file system location reaches its maximum allocated storage you can select a new file system location to hold the ObservelT screen capture data Note The previous location will still be fully available for playback even while new screen capture data will be written to the new location To create a new file system location for screen capture data 1 2 In the Screen Capture Data tab click the New Screen Capture Storage Location button The New Screen Capture Storage Location dialog box opens
238. iberate or inadvertent threats to system integrity IT security regulatory compliance or company policy Note The ObservelT installation package includes a list of sample alert rules which can be used as a basis for customizing alert rules ObservelT administrators can view and manage activity alerts from the Activity Alerts tab in the ObservelT Web Console Generated activity alerts are also highlighted in the User Diary Server Diary and Search pages as well as in the session video player ObserveIT administrators can create and manage alert rules from the Activity Alert Rules page in the ObserveIT Web Console by selecting Configuration gt Alerts gt Activity Alert Rules After defining an alert rule the administrator can configure an alert notification policy for users who will receive email notification about the alert An alert notification policy defines which alerts are sent to which email addresses and at what frequency for example as every alert happens as a digest once every x minutes or as a daily digest Activity alerts can also be easily integrated into an organization s existing SIEM system Activity Alert Examples Following are some examples of login and user activities that might trigger alerts e Irregular access to a company s financial servers during non working hours e External vendor login to database servers during non working days e Anon administrator user accessing a sensitive system file for example
239. icate You can exclude specific groups from being able to authenticate or allow only specific groups to authenticate In the Active Directory Groups section of the Configuration gt Identification page you can include and exclude Active Directory groups from the specified Active Directory domain To include or exclude Active Directory groups from a domain 1 Navigate to the Configuration gt Identification page and add Forced Identification user s For further details see Configuring Forced Identification Users 2 Inthe Active Directory Identification Targets section make sure that there is an Auto type Active Directory Domain If no Auto type domain exists you will not be able to use Active Directory groups m Users For Secondary Identification Active Directory Identification Targets These are the Active Directory Targets against which the users will authenticate Create Domain Name Type OIT DEMO LOCAL Auto m Active Directory Groups Note Active Directory groups are only available when using an Automatic LDAP Target Enable all groups from this Active Directory domain To exclude any group from being able to log on please enter the Active Directory group name i e Help Desk or Domain Admins You can add multiple groups to this list Domain Name Group Name Exclude Group OIT DEMO LOCAL v Add Domain User Created Date Remove Disable all groups from this Act
240. ich Client section of the Create Alert Rule page you can define or edit the name or IP address of the client computer from which the suspicious activity occurred To define the From Which Client conditions 1 Open the From Which Client section by clicking From Which Client r the Edit icon Search Threat Detection Activity Alerts Reports User Diary DBA Activity Server Diary Activity Alert Rules Alert Notification Policies Create Alert Rule a Alert Rule Details Name Status on Active Inactive S ity Notification policy Select Notification Policy v o TOR Medium v i Who Any user E Did What Any application On Which Computer When m From Which Client Client IP address v starts with v OIT LAP LOCAL LAPT and Client name contains v 10 1 2 Important Before you begin make sure that you have read the Rules for Configuring Alert Conditions described in Understanding the Logic for Triggering Alerts 2 To specify the client computer name or IP address that was used to connect to the monitored computers select the required option the relevant operator and specify the required value s for each condition that you want to define as described in the following table 160 Copyright 2015 ObservelT All rights reserved Activity Alerts Options for Defining the From Which Client Conditions Client name OITLAP OITPC is not LOCAL LAPTOP i
241. ich means that newly generated alerts will not trigger any email 140 Copyright 2015 ObservelT All rights reserved Activity Alerts Select the status of the alert rule Active or Inactive Severity Select the severity of the alert rule High Medium or Low The default severity for new rules is Medium The severity of newly generated alerts is the severity of the rule that triggered the alert that is this field 3 Define the conditions for the rule that will trigger the alert as follows Who Who is the user on which the alert Defining the Who Conditions will be generated Did What What actions did the user do Defining the Did What Conditions On Which Name of the computer on which the Defining the On Which Computer omputer action occurred Conditions When Name of the client domain name or Defining the When Conditions client IP address From Which What day date time did the action Defining the From Which Client Client occur Conditions 4 When you have finished creating your alert rule click Save to save your settings The newly configured alert rule is displayed in the Activity Alert Rules page Understanding the Logic for Triggering Alerts An alert rule comprises conditions that define the criteria logic for triggering an alert This topic describes the logic behind the alert conditions and the expected behavior of the system when defining alert rules You should read this to
242. ide SAMPLE App usage All apps used on monitored 25 10 09 admin Run Cached Schedule Copy Edit Delete Configuration Guide grouped by Server Name servers Grouped by Server Past Week Name SAMPLE Apps usage per Repot all apps used on the 25 10 09 admin Run Cached Schedule Copy Edit Delete Server grouped by App monitored servers Grouped by Name Past Week App Name 2 Inthe Schedule Report page you can do the following e Assign Console Users to receive the report results by email Copyright 2015 ObservelT All rights reserved 273 ObservelT Configuration Guide e Schedule the report to run at a custom frequency or at a defined time range Reports Reports Reports Schedule Report SAMPLE Admin related tasks Past Week Latest Activities Installed Softw g 7 Back to Reports List Remove Schedule Save Schedule Server Software Install Uninstall E mail Report To Sticky Notes Reports can be emailed to specific Console Users Note that you must configure an SMTP server Latest Sessions and an email address for each console user that needs to receive this report Specify the username that should receive the report by email W2K8 S8 D02 Admini Use DomainName UserName i e administrator or OBSERVEITidanielp Domain User aii Console User o m Installation Guide Domain User User Guide Configuration Guide Check All Clear All Remove Schedule Report Interval Daily each day I Weekly eac
243. idnight Archive Saved Sessions Audit System Log Schedule Er hie Select frequency Recurs every Mons 7 Recurs every a Month s On the 1_ Day of Month a 1 00PM Installation Guide User Guide Configuration Guide Data Type Filter data by the following servers or server groups Server Servers Groups Name C All Servers Check All Clear All Note Sessions from these servers or server groups will be archived Filter data by the following users Note If no user is entered the action will be performed on all users Domain User User Domain User Check All Clear All Note Sessions from these users will be archived Action Type Type 238 Copyright 2015 ObservelT All rights reserved Archiving Information 3 Inthe Schedule Status and Information section enable the schedule status by selecting the Enabled check box The status shows Active Save Schedule Schedule Status and Information Enabled J Status Active Previous Running Date Next Running Date Current DB time is 12 9 2014 2 10 49 PM w essions to Archive we creenshots to Archive chedule created on 11 18 2014 12 20 PM n Specifying a Date Range for the Archived Data In the Date Range for Archiving section of the Schedule Archive page you can specify a date range for the archived data by selecting one of the following options e Older than Select the radio button a
244. ification user does not have any effect on the actual user object either in Active Directory or on the Windows Local Users However these users will no longer be required to identify themselves when they log on to the ObserveIT monitored servers You can delete Forced Identification users either from the Forced Identification Users list or from the Server Configuration Policy to which they were linked To delete users from the Forced Identification Users list 1 Navigate to the Configuration gt Identification page 2 Inthe Forced Identification Users section click the relevant Delete link in the list of users You will be prompted to acknowledge your action 3 Click OK to proceed or Cancel to abort the deletion To delete Forced Identification Users from the Server Configuration Policy to which they were linked 1 Navigate to the Configuration gt Server Policies page 2 Navigate to the relevant Server Configuration Policy 3 Inthe Identification Policy section of the policy select the check box next to the Forced Identification users that you want to remove Identification Policy Enforce Login Secondary authentication message All activity on this machine is recorded and r Default Please select All Users or enter Domain Name Login i e administrator or OBSERVEITidanielp to enforce identification for that user You can add multiple users to this list All Users Domain for all Login User Add
245. in Dashboard check box next to the relevant server group in the Server Groups page 7 Inthe Server Group list click Save to save the settings The new server group is displayed in the Agents portal in the Admin Dashboard Server Diary User Diary DBA Activity Activity Alerts Configuration Threat Detection Admin Dashboard Admin Daskboani Recent statistics based on Past 7 days Updated 1 8 2015 1 Console Users identification Servers s s sf Server Groups a Latest version 2 Recently installed AN ill G Server Policies Security Alerts System Events identity Theft Detection 0 Recently uninstalled Notification Health Alert Rule Service Monitoring Engine Group Agents Status Messages W2K8 S8 QA11 Ticket Integration Active Servers License SMTP Settings Finance Servers Monitor Log Windows Servers Application Servers In the App Servers portal of the Admin Dashboard you can view the statuses of Application Servers to verify whether they are working properly This enables you to easily identify problematic Application Servers and issues regarding connections to the database or to your file system which may affect whether recorded data is saved From the App Servers portal you can drill down to investigate related system events to identify the causes and respond accordingly To view Application Server status and to drill down to related events 1 Inthe App Servers portal view a list of Application Server
246. indows based or Unix based policy 2 Inthe User Recording Policy section of the Server Policy Template page select Record all users E User Recording Policy i Record all users To exclude any user from being recorded please enter the login e g administrator or OBSERVYEITdanielp and click Add You can add multiple users to this list Exclude Domain for all Login Jse v 2 a Add Domain User Created Date Type Remove Record only the following users To activate recording video amp metadata for only specific users please enter the login e g administrator or OBSERVEIT danielp and click Add You can add multiple users to this list Include Domain for all Login v Add Domain User Created Date Type 3 To exclude specific users from being recorded 1 In the Exclude drop down list select User type the domain for the user or select it from the list and type the user s Login name Click the Add button Note The Domain list displays all the domains in the Active Directory forest in which the ObserveIT Application Server is a member You can select to select all domains 96 Copyright 2015 ObservelT All rights reserved Configuring Server Policy Settings 2 Repeat the above step for each user that you want to exclude The specified users are displayed in the list Or 4 To exclude specific groups from being recorded 1 In the Exclude drop down list select Gro
247. ing host which may repeat itself for succeeding screenshots for example if the user keeps working in Notepad the word hosts is triggered from almost every recorded screen In this case generating an alert for every screen is not feasible and it would probably be sufficient to generate an alert only once in a user session To prevent too many alerts from being generated for the same event ObservelT lets you define the frequency of alert generation which controls the number of times an alert can be triggered From the Alert only once drop down list select an option to prevent alerts from being generated more than once per session once per application process or once per the specified number of minutes Alert only ance Per session T Fer session e Per session default Generate an alert only on the first occurrence of every unique match of the rule in each user session e Per process Generate an alert on the first occurrence of every unique match of the rule per application process based on process ID within each session For example you could select this option to generate an alert each time that an unauthorized user accesses a specific sensitive file such as regedit exe during a session Copyright 2015 ObservelT All rights reserved 145 ObservelT Configuration Guide 3 4 5 6 7 8 146 e Every x minutes Do not generate an alert if the same conditions trigger within X minutes of the
248. ing for from among the many servers that your organization has e Rename servers e Unregister servers e Unlink a Server Policy from servers e Configure server settings Viewing Servers In the Servers list you can view a list of servers and details related to the servers and to the Agents installed on the servers To view servers 1 Navigate to Configuration gt Servers You can also access this page from the Admin Dashboard by clicking various links In the Agents portal the Agent group name the error number the Tampered With amp or DataLoss amp icons and in the Deployed Agent Versions portal the recently Installed or Uninstalled Agents Copyright 2015 ObservelT All rights reserved 55 ObservelT Configuration Guide 2 3 4 5 56 The Servers list displays the servers according to the specified server group and filter criteria Server Diary User Diary DBA Activity Activity Alerts Search Reports Threat Detection Servers Admin Dashboard Console Users Servers Identification Servers Group All Servers v Server Name Status All Server Groups More Filters Server Policies Reset Security Alerts System Events Identity Theft Detection 1 10f1 Server Name Server Policy Version Status Installation Last Activity W2K3 S8 QA07 Default Windows based 5 6 8 3 Error 12 23 2014 12 23 2014 puw deb600 64 1 Default Unix based Policy 5 8 0 132 OK 12 23 2014 12 23 201
249. ink to call up that session and play back the session in the Session Player as required For further details see Replaying User Sessions in the User Guide SErVICENOW IT Service Management Suite si m El Welcome ObservelT Update Set oes Tet eae ATASS Mincident Required field 7 Self Service g Activity gt gt o emerson x 2012 11 21 08 33 15 ObservelT Changed Additional comments Incident z 2012 11 21 03 20 09 ObservelT Changed Additional comments Create New 2012 11 21 03 17 13 ObservelT changed Additions comments mA R ae to me 2012 11 21 03 16 37 ObservelT Changed Assignment group Requested for Configuration item Opened by Priority State Open A Open Unassigned Resolve Incident gt Resolved L Closed Related Links Major Incidents 15 a aaa Q an P Cail Overview Problem si Affected Cis 1 Task SLAs 1 Requested Items ObservelT Sessions 3 Ehen ObservelT Sessions REY Goto Updated X Q Project y gt Incident INC0010557 o ERR ee Cee y 2012 11 21 08 33 15 OIT GABY 10 1 100 157 DD W08 SQ8 1 http DD W08 SQ8 1 4884 ObserelT SlideViewer aspx SessionID ee40cd56 3e1b 4 Service Catalog y Knowledge Ba y p aSpX SESSIONID JDIC4 4058 44 2012 11 21 03 20 09 OIT GABY 10 1 100 157 DD W08 SQ8 1 http DD W08 SQ8 1 4884 ObservelT SlideViewer aspx SessionID f479b3c4 463a 4C _ Organization Management y v m r The following
250. inux Agents or on Windows Agents that are running ObservelT versions prior to 5 6 0 During the replay of a live session if the Administrator wants to prevent the user from continuing to record the current session he she can send a message to the user and lock the user s desktop after a specified timeout period Note The Lock User s Desktop feature is supported only on Windows Agents that are running ObservelT version 5 6 0 and above It is not supported on Unix or Linux Agents or on Windows Agents that are running ObservelT versions prior to 5 6 0 When messages are no longer needed they can be disabled and potentially re enabled later or deleted Message tasks include Creating Messages Editing Messages Viewing Messages Deleting Messages Disabling Messages Acknowledging and Replying to Messages Creating Messages To create a message 1 Navigate to Configuration gt Messages Copyright 2015 ObservelT All rights reserved 193 ObservelT Configuration Guide The Messages tab opens Server Diary User Diary DBA Activity Activity Alerts Configuration Reports Threat Detection Messages Admin Dashboard Console Users Create a new message Identification Servers i Server Groups Manage Messages Server Policies RERA Server Alerts Status All System Events Identity Theft Detection Message Name Modified Date Posted By Messages Active Messages 0 Ticket Integration Disabled Messages
251. ion of the Server Policy Template page select one or both of the check boxes next to the required Stop recording session command options By default both options are selected Data Recording Policy Basic record commands and terminal output Extended record commands terminal output and system functions Stop recording session output beyond 1000 KB v until new user input is detected Ror recording command output beyond 500 KB v until anew command or user input is detected e Stop recording session output beyond Select this option to define a limit in KB or MB for the session output data recording size before new user input is received The default size is 1000 kilobytes zero means that there is no data size limit e Stop recording command output beyond Select this option to define a limit in KB or MB for the volume of command output before anew command or user input is received This output limit applies to each command a new command will start a new session for recording The default size is 500 kilobytes zero means that there is no data size limit 3 Click Save to save the changes Setting changes will take effect on new user sessions after the current sessions are closed 92 Copyright 2015 ObservelT All rights reserved Configuring Server Policy Settings Offline Recording Policy Note This feature is supported on Windows based and Unix based server policies ObservelT Agents transmit recorded
252. is u that is user ID and Executed Command Argument is 0 that is assign root permissions Copyright 2015 ObservelT All rights reserved 155 ObservelT Configuration Guide Defining the On Which Computer Conditions In the On Which Computer section of the Create Alert Rule page you can define or edit the specific or groups of computers servers on which the suspicious activity occurred To define the On Which Computer conditions 1 2 Open the On Which Computer section by clicking On Which Computer r the Edit icon Threat Detection Server Diary User Diary DBA Activity Activity Alerts Reports Activity Alert Rules Alert Notification Policies Create Alert Rule Alert Rule Details Name Status Active Inactive Severity Notification policy Select Notification Policy aL Medium v i Who tly Any user re Did What tty Any application On Which Computer Computer domain is vy LOCAL DB and ObservelT serverc w is vy Unix and OS name v is not y Solaris Ubuntu and Agent version num v is higher than v 5 5 When tly Any time C4 From Which Client Any client Important Before you begin make sure that you have read the Rules for Configuring Alert Conditions described in Understanding the Logic for Triggering Alerts To define the specific or groups of computers servers on which the action occurred select the requir
253. it you will need to create anew Console User and make sure it has the exact same name and password 2 Deleting Console Users that are configured with an external Active Directory or LDAP domain will NOT delete the actual user objects from the target Active Directory domain The deletion will simply prevent these users from using the ObserveIT Web Console To schedule a report or create a new report about a Console User e Inthe Console Users page click the Reports link next to the required user For further details see Managing Reports Copyright 2015 ObservelT All rights reserved 33 ObservelT Configuration Guide Creating Active Directory Console Groups Note When creating Active Directory based groups in ObservelT a check will be performed against the domain to make sure that the group exists To create an Active Directory group in ObservelT 1 Inthe Configuration gt Console Users tab click the Add AD Group button Configuration gt Active Directory Console User Group Details wi dov Console Users http 127 0 0 1 4884 ObservelT AdminADConsolUserDetails view aspx A Admin Dashboard Console Users Add Console Group Console Users a Add AD Group Identification Group Name HD_Users Servers Results 1 1 of 1 Domain Name observeit sys local v eee Name Reports Authenti Role Admin z Server Policies Security Alerts 8 Admin Reports Observej Allow access to All Servers group m Crec Name
254. ity Alerts Details view such as metadata ticketing and application information This additional information could help you better understand the context of the activity that caused the alert For further details about the ObserveIT Search feature see Free Text Search in the User Guide To search for a session by alert ID 1 Inthe Activity Alerts Details view click the relevant Alert ID link O amp 03 05 PM Running sensitive apps on DB servers micky n a OBSERVEIT PM fa p a Who OBSERVEIT PM micky n a View rule details Did What Windows Explorer Program Manager On which Computer OBSERVEIT PM CJ From which Client OIT MICKY 10 1 100 100 Q When Wednesday 7 9 2014 3 05 PM mt The Search page opens displaying the session with an alert of that ID and marked with an alert indication Server Diary User Diary DBA Activity Activity Alerts Configuration Reports Threat Detection Search Search Searcher Alen 1D v 10000003 n Period Start Date End Date tast 1 __ Months_ v O 2014 E 2014 E Login user used All vV Server Used All vV 1 1 Time Title Server IP Name Video 7 9 2014 El 3 05 17 PM Program Manager F OBSERVEIT PM 10 1 100 100 OBSERVEIT PM fa Add Comment Print this information Print detailed information Imhosts sam WordPad a Server Manager ka Program Manager Oe 2 Click to expand the session to see exactly which slide has the alert 3 Click the Video La icon next to t
255. ive Directory domain To enable specific groups from this domain to log on please enter the Active Directory group name i e Help Desk or Domain Admins You can add multiple groups to this list Domain Name Group Name Enable Group JOIT DEMO LOCAL A Add Domain User Created Date 3 In Active Directory Users and Computers create the required group s and add members to them 46 Copyright 2015 ObservelT All rights reserved Identification Services In the following example two groups are defined in the domain OIT DEMO LOCAL e no oit logon All users can authenticate in the ObservelT Identification screen except users that are members of this group in this case user1 and user2 e yes oit logon Only users that are members of this group can authenticate in the ObservelT Identification screen amp Active Directory Users and Computers 7 malz 4 File Action View window Help lal x 9 G m x Bem 2a ge 73 Active Directory Users and Computer C Saved Queries Groups 5 objects H E oit demo local Ga Builtin fi no oit logon Security Group Global Computers G useri User 3 Domain Controllers user2 User ForeignSecurityPrincipals 4 user3 User lt 3 Groups f yes cit logon Security Group Global 3 Help Desk a Dhami yes oit logon Properties T ki 6 3 no oit logon Properties ae zi xi General Members M
256. ked from the server and the new Server Policy Template will be linked to it instead Unlike linking individual servers by using Server Groups you can perform a mass linking of all the servers that are members of that Server Group The process of linking servers to Server Policy Templates by using Server Groups is slightly different than linking specific servers Unlike linking servers usage of Server Groups actually performs a batch operation in the background linking all servers that were members of that Server Group to the Server Policy Template you selected The Server Group in itself is NOT linked to the Server Policy Template If at a later time you add more servers to that Server Group they will NOT be linked to the Server Policy Template To make sure that you have all the servers that are members of that Server Group linked to that Server Policy Template you will need to repeat this process Any unlinked servers that are members of that Server Group will then be linked to that Server Policy Template To link a Server Group to a Server Policy 1 Navigate to Configuration gt Server Policies 72 Copyright 2015 ObservelT All rights reserved Server Policies 2 Inthe Server Policy Templates page click the Servers link next to the Server Policy to which you want to link Threat Detection Server Diary User Diary DBA Activity Activity Alerts Wa UEILL Search Server Policies Admin Dashboard Console Users Ser
257. l be recorded Record only the following applications To activate recording video amp metadata for a specific application please select the process name from the list and click Add You can add multiple applications to this list Applications Internet Explorer iexplore v Add Record URL ExactMatch Add Remove Record metadata for all applications regardless of whether they appear in the list Video will be recorded only for applications that appear in the list Record metadata only Only metadata will be recorded for all applications No video will be recorded 3 To create a recording policy for all applications do the following a Select the Record all applications option b To deactivate recording video and metadata for a specific application select its name in the Exclude list and enter the application s URL in the text box You can specify part of the URL path or the exact URL by selecting the Exact Match check box Note that although the application will be added it will only be recorded when the user accesses the specified URL Note URL filtering is supported on Internet Explorer Firefox and Chrome applications c Click Add Repeat the above step for each application that you want to exclude The ObservelT Server will record all applications except for those in the Exclude list d To record textual metadata for the excluded applications select the Also Record metadata for Excluded ap
258. lay an expanded version of the report showing all the columns that were selected in the report creation steps observe ft Enterprise Report Name All Remote Desktop Sessions in the past month Convert To Excel Filtered By Session Start DateTime Last 1 Month AND Window Title contains Remote Show All Details Show Selected Details Hide Details Login Name User Daa Whedon tiie Session Start Session Start Session End Session Name Date Time Time Video l Server Name WIN2003 SRV1 5 records Administrator n a WIN2003 SRV1 192 168 200 150 Remote Desktop 11 01 2009 02 53PM 02 54PM fa Administrator n a WIN2003 SRV1 Remote Desktop Connection 11 01 2009 02 16PM 02 33PM a Administrator n a WIN2003 SRV1 Remote Desktop Connection 11 01 2009 02 53PM 02 54PM p Administrator n a WIN2003 SRV1 Remote Shutdown Dialog 10 29 2009 04 32PM 04 32PM ra Administrator n a WIN2003 SRV1_ win2003 srv2 Remote Desktop 11 01 2009 02 16PM 02 38PM Total 5 records To help mitigate CPU and resource usage overhead in some cases when running reports that do not need to be current such as a report showing all the user sessions in the previous month you can view cached reports instead of re running the reports The Cached link is enabled only for reports that have already been run previously To view cached reports e Inthe Report List click the Cached link next to the relevant report that has already been run to view the previous results
259. le The following example shows the prompts that a Forced Identification user receives after configuring a Unix Linux machine for secondary authentication File Edit View Search Terminal Help ALL activity on this machine is recorded and monitored Authentication Type Authenticate as ObservelIT user 2 Domain authentication Choose Type 2 in OBSDEV LOCAL daniel To log in for secondary authentication 1 Select an option per the required type of authentication e 1 Authenticate as ObservelIT user or e 2 Domain authentication Note When using domain authentication the domain name will be displayed by default 2 Enter a secondary user name and password Note If you enter incorrect credentials you will be prompted to try again the initial prompts reappear 52 Copyright 2015 ObservelT All rights reserved Identification Services Preventing Windows Users from Bypassing the ObservelT Identification Prompt After enabling Identification Services whenever Forced Identification users log on to any ObservelT monitored server or workstation using the regular Windows logon process they will be required to provide secondary authentication in the ObserveIT Windows logon screen prompts For further details see Identification Services If the user enters incorrect credentials either by mistake or intentionally they will be presented with the error Invalid Credentials or Access Denied In order to continue the us
260. le when including excluding groups from being recorded After the LDAP connection is properly established you can start working with Active Directory based Console Users Note that for auto type LDAP Targets Active Directory based users and groups can be used Adding Manual LDAP Targets If the server on which the ObserveIT Application server is installed is not a member of any Active Directory domain you can manually add LDAP Targets To add a manual type LDAP Target 1 Inthe Manual LDAP Target section of the Configuration gt LDAP Settings page enter an LDAP Path Use one of the following options LDAP Domain Controller Name DC Domain Name DC Suffix For example LDAP WIN2003 DC DC OIT DEMO DC LOCAL Note The Domain Controller Name can be either the server s host name or the server s IP address amp Active Directory Users and Computers Me x lt 3 File Action view Window Help la xl e Mm l ex TaBe m geg aYrge C Saved Queries f Names Type Description zp oit demo local TETTES Builtin De aE C Computers lt 3 Domain Controllers a ForeignSecurityPrincipals J Users Note In some cases you will need to use UPPER CASE letters for the LDAP path Copyright 2015 ObservelT All rights reserved 221 ObservelT Configuration Guide 2 Enter a User Name and Password Note The required user name should have at least read access
261. lert indications next to some sessions Threat Detection DBA Activity Activity Alerts Configuration Search Reports User Diary Activities Activity View Server OBSERVEIT PM Go Server statistics Print this information Period Start Date End Date ast 1 Months v O Jul 22 2014 Eal Jul Vv 30 wv 2014 3 Filter by login user All vV 1 40f4 Session Duration Login User Server Client Slides Video 7 21 2014 3 05PM 3 05PM micky n a f OBSERVEIT PM OIT MICKY 1 bal 12 35 PM 12 38 PM micky na F OBSERVEIT PM OIT MICKY 29 gt a 7 20 2014 12 14 PM 12 17 PM micky n a F OBSERVEIT PM OIT MICKY 57 fa 11 25 AM 11 45AM micky n a F OBSERVEIT PM OIT MICKY 11 ba 2 Click the alert indication icon next to a session A popup window opens showing the alerts and the number of alert instances that were generated during that session For example Browsing SETTINGS pages 7 Accessing sensitive data 1 Close View all 3 Inthe popup window click an alert to open a maximized screenshot displaying the alert s details 130 Copyright 2015 ObservelT All rights reserved Activity Alerts 4 Inthe popup window click View all to jump directly to the Activity Alerts page showing all the session alerts with all their details DBA Activity EGOA GIO Configuration Search Reports Threat Detection Server Diary User Diary Activity Ale
262. lert rule keyword History All x Updated on During last 1 Years v Between 12 27 2014 E ana 01 04 2015 S Updated by All x From the Severity drop down list select the alert severity level that you want to view High Medium Low or select All to view all severities Expand the More Filters section by clicking to filter the alert rules displayed according to additional criteria as described in the table below When you have finished defining your search criteria click Show to update the Alert Rules list To clear the filter fields click Reset Copyright 2015 ObservelT All rights reserved Activity Alerts More Filters Notification Policy To search for alert rules by assigned notification policy which specifies who receives alert notifications when an alert is generated and at what frequency select a specific notification policy from the list or select All to view all alert rules Alert rule keyword To search for alert rules by alert rule keywords type the relevant text in the text box This enables you to search in the following fields in the Alert Rules list Alert Rule Name Description if there is no description you cannot search on this field All rule content fields for example server names programs Updated by for example Console user name History To search for alert rules by whether they were previously used select Generated at least one alert Never generated an alert or select All to
263. lery view provides a slideshow of the screenshots for each alert alongside the alert s details Gallery view By viewing alerts in this mode you can see clearly the user environment and the context of exactly what the user was doing when an alert was triggered Activity Alert Tasks The tasks you can perform on activity alerts include e Filtering Alerts Display the alerts according to your own specified criteria e Viewing a List of Alerts View the alerts that were generated during a specified time period and according to specified criteria e Viewing Alert Details Who Did What View exactly Who Did what On which computer From which client When for each alert e Viewing Alerts in Gallery Mode Browse through the screenshots of each alert while showing the full details near each screen e Flagging Alerts for Follow Up Highlight alerts that require more attention by flagging them e Printing and Exporting Alerts Print the Alerts list and export it to Excel e Deleting Alerts Delete alerts that are no longer required e Receiving Alert Notifications by Email Receive email alerts to quickly identify alerts and respond accordingly e Viewing Sessions with Alerts View recorded sessions which contain alerts marked alert indications in the Server Diary User Diary and or Search lists e Viewing Alerts in the Session s Video Replay videos of sessions with alerts in the Session Player e Searching for Sessions by Aler
264. licy Server Groups In order to enable the Save button you must first unlink the policy Server Servers Server Policies Security Server ID 1497b10c 4eeb 4512 9b82 4b4ca368770c Aisin Server Name W2K8 S8 D02 Modify Name System Events Server Policy Template Default Windows based y Change Template identity Theft Detection App Server http 127 0 0 1 4884 ObservelTApplicationServer Enable recording Enable Identity Theft Detection Enable API Messages Ticket Integration License The Change Server Name window opens Change Server Name Warning Changing the Server name has no impact on the actual Windows Server name but can be used when actual Windows Server name has to be changed and you wish to match the new name with the ObservelT data Server ID 1497b10c 4eeb 4512 9b82 4b4ca368770c Server Name e W2KeS8 D02 4 Type the new Server Name 5 Click Update The server name is modified Copyright 2015 ObservelT All rights reserved 59 ObservelT Configuration Guide Unregistering Servers In some cases an ObservelT server needs to be uninstalled from specific computers For example if the last activity occurred on a server a long time ago the administrator may decide that a license is no longer required for that server The correct way to uninstall a server is by using the Add Remove Programs applet in the Control Panel However there may be times when access to the monitored server is not possibl
265. lidating the ticket number 5 After configuring your ticketing system click Test Connection to test the connection settings A message is displayed informing whether the connection is successful 6 If the connection is successful click Save to save your settings The newly created ticketing system will be included in the list of ticketing systems on which you can apply ticketing policies For details see Configuring Ticketing Policies To update an existing ticketing system 1 In the list of currently existing ticketing systems select the ticket system whose parameters you want to update 2 Edit the required parameters as described above test the connection and then save your settings The updated ticketing system will be included in the list of ticketing systems 210 Copyright 2015 ObservelT All rights reserved To delete a ticket system SMTP Configuration To send messages to the configured Console Users ObservelT must be configured to use SMTP To configure SMTP settings 1 Inthe Configuration gt SMTP Settings tab enter the following information Name or IP address of the SMTP Server 2 Mail From email address SMTP Configuration In the list of currently existing ticketing systems select the ticket system you want to delete and click the adjacent Delete link A confirmation message is displayed The ticketing system is removed from the list User Name and Password to authenticate with the SMTP
266. ll Note Sessions fram these users will be archived Selecting the Action to be Performed on the Job Schedule In the Action Type section of the Schedule Archive page you can select to archive the specified job schedule or delete the scheduled data from the database To proceed to archive the specified job schedule e Select Archive from the Type drop down list Action Type ee b User Name Password Copyright 2015 ObservelT All rights reserved 241 ObservelT Configuration Guide To delete the scheduled data from the database Use this option to release space in the archive database 1 Select the Delete option from the Type drop down list A message appears warning that the scheduled data is about to be deleted permanently from the ObservelIT database 2 Select the Authentication method e AD Authentication When selected you must enter the User Name and Password of an Active directory user with role_DeleteFromObservelT permissions on the ObservelT database e SQL Server Authentication When selected you must enter the User Name and Password of an SQL Server login with db_owner permissions on the ObservelT database Action Type Type Authentication User Name Password Warning Data will be deleted AD Authentication SQL Server Authentication Note To delete data using Active Directory authentication provide credentials of an Active Directory user with role_DeleteFromObserv
267. lock icon appears next to the Video a icon When clicking the Video a icon users will be prompted to enter their Replay Privacy Protection password For further details see Enabling Session Replay Privacy Auditing Configuration Changes For enhanced security auditing ObservelT enables you to track configuration changes that were made while working in the Web Console For example if an Agent s recording was turned off or changes were made in a Server policy configuration you can track exactly who did this and when it happened An audit entry is created whenever the user makes configuration changes in one of the following Areas in the Web Console 260 Server Policy creation modification or remove operations For example e The Agent recording status was temporarily disabled e A User Recording policy was modified in order to record only specific users e Continuous recording was enabled in a Windows system policy Session Data Integrity definition changes For example Image Security was enabled on the Application Server in order to protect images in the database Identification modifications For example A new LDAP Target Domain Identification was added Licensing changes For example e The total number of Registered Agents was changed e The ObservelT software version was changed from Lite to Commercial Application Server modifications For example e A specific server is configured to require a security passwo
268. m Files x86 ObservelIT NotificationService LogFiles ArcSight The default log file name is OIT CEF 1log Following is an example of an OIT CEF 1og file showing user activity DBA activity and alerts activity data gt n 1 OIT_CEF log Notepad a aed File Edit Format View Help duid Administrator duser n a dvchost OIT RACHELI dvcpid msg ObserveITNotificationService_Trace Notepad rt Aug 11 a 14 12 59 shost OIT RACHELI sproc src sntdom suser n a suid n a destinationServiceName Notepad deviceProcessName end Aug 11 14 12 59 start Aug 11 14 12 59 Aug 11 14 12 59 host CEF Olobserverr observer 5 7 0 OMA cni 10000003 cniRuleDescription Alert when using notepad csiAlertDetails Ran application Notepa cs5AlertDetai ISURL http Q20W2K8 4884 observeIT ActivityAlerts ActivityAlerts aspx keywor d 10000003 amp vi ewmode Ful1 cs20S windows dhost Q20w2K8 dntdom Q20W2K8 cs3ViewURL http Q20W2K8 4884 ObserveIT S1lideviewer aspx SessionID 7 90F5A39 99E3 4CE4 BA5D 44766A5CE807 amp Di sp layonAir false amp SSID 93BD41B1 5B91 4EBD B5C9 4FEC279F2D5Blang en cs4Command dproc ObservelIT _ duid Administrator duser n a dvchost OIT RACHELI dvcpid 10 1 100 96 msg ObserveITNotificationService_Trace Notepad rt Aug F 11 14 12 59 shost OIT RACHELI sproc notepad src 10 1 100 96 sntdom n a suser n a suid n a destinationServiceName Notepad E deviceProcessName notepad end Aug 11 14 12 59 start Aug 11 14 12 59 Aug 11 14 13 08 host CEF 0 ObserveIT ObserveIT
269. m all domains in all the Active Directory forests that are connected to the current forest ObservelT easily integrates with your Active Directory forest enabling you to use user and group objects from any domain in the forest in which the ObservelT server side components are installed and in which the ObserveIT Agents are deployed if different Cross forest trusts can also be used Although using groups from Active directory domains is possible with any group scope domain local global or universal it is recommended that you follow Microsoft s best practices on group object usage For further details refer to Active Directory Best Practices If the server was not a member of any domain during the ObservelT installation then after adding the server to a domain you will be able to add the LDAP Target later If the server on which the ObservelT Application server is installed is not a member of any Active Directory domain you can manually add LDAP Targets and these will be configured as Manual type LDAP Targets This will enable the usage of Active Directory users however it will not be possible to use groups from that domain Creating Console Users for an Active Directory domain will NOT create actual Active Directory user objects These Console Users are just pointers to Active Directory user objects that are supposed to exist in the target Active Directory domain That is why the Password field is grayed out whenever an Active Dire
270. m did not detect that the Agent Service was stopped or killed via commands Disabled The recording mode was disabled in the Server Policy Uninstalled The Agent was uninstalled Copyright 2015 ObservelT All rights reserved The Agent is disconnected from the licensing unregistered blocked from accessing the system 19 ObservelT Configuration Guide Investigating System Events From the Servers list you can navigate to the System Events list to examine the system events that occurred on Agent group members to understand the root causes and what corrective actions to perform To drill down to investigate system events 1 Inthe Servers list in the expanded details of the relevant Agent group member with error status click the System Events link or the Status link Status Error Version Installation 5 8 0 0 Server Name El w2kK3 8 OA406 Server Policy CODefault Windows based Last Activity 12 14 2014 12 15 2014 Unregister System Events Status Details Tampered With OS Type OS Version Windows Windows Server 2003 The System Events page opens displaying all the related system events that occurred on the Agent group member The most recent event appears at the top of the list System Events Severity All v Server All v E More Filters Category All v Event Code All v Component All v Source All v Login All v irr All v Client All v Email Sent All v Event ID Comme
271. manual configuration settings will be listed Note The Enforce login check box in the selected servers must be turned on in order to take effect Server Name Enforce login is turned on A Manual c55 64 5 4 Manual c58 32 11 Manual D008R264SQL8 Manual D02003X862 Add 3 Select one of the following options e All Users to apply the identification policies to all users e User to apply the identification policies to a specific user 4 If you selected the User option select the domain name for the relevant Forced Identification user and specify the user s name The Domain drop down list displays all the domains in the Active Directory forest in which the ObservelT Application Server is a member You can select to select all domains Note ObservelT easily integrates with your Active Directory forest enabling you to use user and group objects from any domain in the forest in which the ObservelIT server side components are installed and in which the ObservelIT Agents are deployed if different Cross forest trusts can also be used if required Although using groups from Active directory domains is possible with any group scope domain local global or universal it is recommended that you follow Microsoft s best practices on group object usage For further details refer to Active Directory Best Practices Copyright 2015 ObservelT All rights reserved 41 ObservelT Configuration Guide 5
272. messages on the selected server To display all the messages from the Message to Display drop down list click All Messages Server Diary Messages Activities Messages Dia Applications ry Inventory Server WIN2003 SRV1 ica Software Message To Display All Messages fd Search All Messages Results 1 9 of 9 Do not stop the backup job oved access to this se Messages Name Body ep ser Login Displayed At Acknowledge Latest Sessions Who has ap Enter the no reply was given n a Administrator 8 1 2010 05 49 48 PM 5 49 46 PM WIN2003 O1T Admini i i ag x Do not sto Job will t Ok just checking the n a Administrator 8 1 2010 05 49 46 PM WIN2003 SRV Admini security log 5 43 23 PM ee Who has ap _ Enterthe no reply was given n a Administrator 8 1 2010 05 42 35 PM WIN2003 DC Admini 5 39 20 PM Quick Help Do not sto Job will t no reply was given n a Administrator 8 1 2010 05 42 32 PM i 5 38 08 PM Installation s P 97 Who has ap Enter the Danielp n a Administrator 8 1 2010 05 37 43 PM Getting Started i 5 37 39 PM Do not sto Job will t no reply was given n a Administrator 8 1 2010 05 37 39 PM 5 37 31 PM Do not sto Job will t am just checking the n a Administrator 8 1 2010 05 26 48 PM Event Viewer 5 25 14 PM Do not sto Job will t no problem n a Administrator 8 1 2010 05 24 48 PM l 5 24 06 PM Do not sto Job will t ok n a Administrator 8 1 2010 05 23
273. min Dashboard Console Users System Events Notification Policy Identification Email Servers Email address Server Groups O ines observeitcom Server Policies Security Alerts Remove Event Type Selection high Search by event type System Events Identity Theft Detection Messages Ticket Integration License 06 High Suspected login reported 1207 High Agent Registry keys were SMTP Settings 1107 High Suspected secondary login tampered with l reported 1210 High Agent installation files were TE 1202 High Agent service has stopped tampered with LDAP Settings 1203 High Agent service was terminated 1213 High Unix Agent interception was tampered with 1218 High Agent offline data files were tampered with Storage 1204 High Unrecorded Agent Sessions Archive 1205 High Agent installation files were tampered with missing file 1206 High Agent installation files were Audit tampered with file changed System Log 1219 High Agent service not responding 1220 High Process was killed and Saved Sessions Latest Sessions automatically restarted W12 S12 D02 Admini Email Frequency Quick Help On every event Y Digest email no more than once every minutes Daily digest email at 18 00 00 fa Installation Guide User Guide Configuration Guide Configuration Guide In the Email address field t
274. minimized or closed When a message is displayed the user must select the I Acknowledge check box in order to proceed to the next message in the case of multiple messages queued for display and for the Finish button to be available ObservelT Message Do not stop the backup job J Message from Admin 1 out of 2 Job will take approx 7 hours Do not stop the job For questions please call Daniel at 972 MV 1Acknowledge Type your reply here max 500 characters Ok just checking the security log Previous Next N Note ObserveIT does NOT prevent the user from working with applications around the window However if the user does not acknowledge a message this will be seen in the ObservelT Server Diary After acknowledging the last or only message the Finish button becomes available The time of user acknowledgment can also be viewed with the message and feedback information Replying to Messages Providing User Input on Messages Users that receive messages can provide textual feedback or input for each message The feedback box remains grayed out until the user selects the I Acknowledge check box after which the user can enter feedback There is a 500 character limit on the feedback If multiple messages are queued for display the user can provide separate feedback for each of the messages Note If a reply is configured as mandatory the user must enter a text reply in addition to acknowledging th
275. mpting the user to enter a valid ticket number from a ticketing system in order to log on to the server as shown in the following example Ticket Window Enter a Yalid Ticket Number Message In order to log into this server you must enter a valid ticket number from the SerniceNow ticketing system Ticket Number Pe don t have a ticket number Please create a new ticket and log me in Comment max 500 characters F Note A ticket policy may be configured to allow a user that does not have a valid ticket number to request the creation of a new ticket on the fly and be logged in or to allow access to the system even without a valid ticket number in this case the Skip button will be enabled For further details see Configuring Ticketing Policies 3 ObservelT verifies via the ticketing system that the ticket number is valid before allowing the user to proceed If the user enters an incorrect ticket number an error is displayed 4 After logging on to the server the user can make required session changes including any requests specified in the ticket itself 5 The ticket associated with the session is linked to a video recording of the session In addition specific information about the login session is automatically saved by ObserveIT and included in the ticketing system Copyright 2015 ObservelT All rights reserved 203 ObservelT Configuration Guide Viewing Ticket Details In the ticketing system
276. much main memory that in extreme cases could cause the logger to fail or the session itself to fail due to memory problems In addition sending the offloaded data of a session can be done while a session is still ongoing live instead of having to wait until the end of the session In the ObservelT Web Console on Unix and Linux based server policies you can configure a policy for offloading from the Agent s memory recorded system function data and or all recorded data when they reach predefined thresholds Data is offloaded to the offline storage location the default is opt observeit agent run which stores the data for recorded Unix Linux sessions You can configure a server policy for offloading recorded data per server Agent from the Configuration gt Servers page or by using Server Group Policies to configure many servers Agents simultaneously To configure an offload data recording policy 1 Inthe Configuration gt Server Policies page select the required server policy template Unix based policy or click Create to create a new server policy Copyright 2015 ObservelT All rights reserved 101 ObservelT Configuration Guide 2 3 4 5 102 In the Server Policy Template page expand the Memory Management section by clicking the al icon El Memory Management Memory Management W Offload recorded system function data limit h Offload all recorded data limit 100
277. n how to configure your database for optimal performance refer to the Microsoft article Pre Configuration Database Optimizations For optimal performance of the ObserveIT and ObservelIT_Data databases it is recommended to e Set the initial size for MDF files to 100GB e Set the initial size for LDF files to 50GB e Use separate disks for MDFs Data files and LDFs Transaction logs e Optional Create multiple MDF files one for each CPU core up to 8 on separate disks for the ObservelT database if you have enough disks Copyright 2015 ObservelT All rights reserved 251 ObservelT Configuration Guide For optimal performance of the tempdb database it is recommended to e Create multiple MDF files one for each CPU core up to 8 to reduce allocation contention e On the SQL Server instance set up the MSSQL Trace Flag T1118 in the service startup parameters e Reduce allocation contention on the tempdb database by forcing uniform extent allocations For further details refer to the Microsoft article Concurrency enhancements for the tempdb database For all four ObservelT databases it is recommended to use the Simple Recovery Model however if the customer specified a point in time recovery option you should use Full Recovery Model instead File System for Storing Graphical Images In large scale deployments the file system is the recommended method for storing graphical images instead of the SQL Server data
278. n Application Permission level is not Admin if a user is trying to run an application without root admin permissions on the logged in server Example Scenario The following scenario provide some examples of how to use some of the Ran Application options to configure the conditions for an alert rule Alert rule example Trigger an alert when an unauthorized non administrator user tries to view a sensitive system or configuration file such as regedit Note For purposes of this example the scope of the alert rule is per session which means that an alert will be generated only on the first occurrence of every unique match of the rule in each session Full details about defining the scope of rules are provided in Defining the Did What Conditions Condition Example User Activity Alert Generated Ran application This condition Application name is Regedit SSMS SOL Server Management specifies that every first time in a session that the user runs the Regedit SQL Manager Setup or Notepad applications an alert should be generated Studio Setup Notepad Ran application Window title contains hosts permissions security 148 1 User logs in to a session and runs the Alert will be generated Regedit application because the application name matches the condition YES An alert is generated because 2 Within the same session the user runs Setup even though thi
279. n Group D AllSerers 1 Active Servers 0 Windows Servers 1 Unix Servers Windows WorkStations Windows Gateway Windows ActiveX NewGroup D E Finance Servers Check All Clear All The Policy Servers page refreshes displaying the new linked servers Copyright 2015 ObservelT All rights reserved 73 ObservelT Configuration Guide Note You can unlink individual servers from this Server Policy Template either from the Server Policy Templates list or from the Server properties page Configuring Server Policy Settings ObservelT Servers or Agents are configured by using Server Policies Server Policies are sets of configuration options that control aspects of how the monitored server is configured By using Server Policies the task of configuration is simplified since the administrator can configure one set of recording settings and apply these settings to many monitored servers simultaneously Note You can link a different Server Policy to individual servers or to Server Groups Important Notes e The policy settings that you can configure on a Server Policy Template are identical to the policy settings that you can configure on an individual server The topics in this section describe how to configure policy settings using Server Policy templates Note that setting changes will take effect on new user sessions after the current sessions are closed For information about configuring policy settings on an individu
280. n for Linux Unix Policies e Configuring Forced Identification Users e Configuring Active Directory Identification Targets Copyright 2015 ObservelT All rights reserved 37 ObservelT Configuration Guide e Configuring Active Directory Groups e Configuring Local ObservelT Identification Users e Forced Identification User Login e Preventing Windows Users from Bypassing the ObservelT Identification Prompt Viewing Forced Identification Users in the Web Console When Identification Services are configured and a Forced Identification user has successfully logged in in the ObserveIT Web Console you can view the name of the user who logged in with the shared user account in the Server Diary User Diary Free Text Search or Reports page as shown in the following figure Note When Identification Services are not configured the only information available is the login name Server Diary Activities Activities Activity View Applications Inventory Server c65 64 3 Go Server statistics Printthis information Software Period Start Date End Date Search Last 1 Months X Dec 29 2013 Fe Jan 6 2014 E Messages Filter bylogin user All v Latest Sessions 1 20 of 23 12 Next gt Last gt gt c65 64 3 John Session Duration Server Client Slides Video aixShome root 1 5 2014 Q12W8S8 1 Admini 12 47 PM 12 48 PM 4 c65 64 3 10 1 100 29 suse10sp4 3
281. nd specify the user s Login name Click the Add button The Domain drop down list displays all the domains in the Active Directory forest in which the ObservelT Application Server is a member You can select to select all domains Note ObservelT easily integrates with your Active Directory forest enabling you to use user and group objects from any domain in the forest in which the ObservelT server side components are installed and in which the ObservelT Agents are deployed if different Cross forest trusts can also be used Although using groups from Active directory domains is possible with any group scope domain local global or universal it is recommended that you follow Microsoft s best practices on group object usage For further details see Active Directory Best Practices Select the Save last used login check box if you want to auto populate the User Name box of the secondary ObservelT logon screen with the last logged on user name Note If you select this setting the next user that logs on will be able to see which user was previously logged on to the system For security reasons it is recommended that you do not select this setting Click Save to save the changes Setting changes will take effect on new user sessions after the current sessions are closed Copyright 2015 ObservelT All rights reserved 95 ObservelT Configuration Guide User Recording Policy Note This feature is supported on Windows based and
282. nd then select Days Weeks or Months as the period of time for the data to be processed Note that you cannot select a time range that is less than 3 days from the current time on the database e Date Range Select the radio button and then specify a start and end date for the data to be processed Date Range for archiving Older than 3 Month s a Data will be added to the current active archive database Start Date End Date Date Range Dec 15 2014 E Dec 22 2014 E3 Note Cutoff time is always at midnight Selecting the Archive Job Frequency 1 In the Schedule section of the Schedule Archive page select the archive job frequency from the Recurs every drop down list Options are Once Days Weeks or Months Depending on your selection you may need to specify further information Schedule Select frequency Recurs every Months Recurs every 1 Month s On the 1 Day of Month at 1 00 PM Copyright 2015 ObservelT All rights reserved 239 ObservelT Configuration Guide 2 If you select Once you can configure when you want the one time job to run as follows e Select Run Now if you want the job to be executed immediately after clicking the Save Schedule button e Select Run if you want the job to be executed on a specified day and time Note Consider the performance impact on the production database server and make sure that you only run the job during off peak hours Select f
283. nent All 7 Source All v Login All v imao All Client All v Email Sent All v Event ID Comment Status Details Al v Period During last 1 Months X Between 12 23 2014 Ea and 12 31 2014 mal From the Server drop down list select the particular server for which you want to view events or select All to view all servers Expand the More Filters section by clicking to filter the events displayed according to additional criteria as described in the table below When you have finished defining your search criteria click Show to update the event list according to the specified details To clear the filter fields click Reset More Filters Category To search for events by category by the mechanism that generated the event select an option from the list or select All to view events from all event categories The available category depends on the event Source Options include Identity Theft Identity Theft source Installation Agent source Functionality Agent Application Server Health Monitoring Notification Service Rule Engine source Data Loss Agent Database Web Console source Tampering Agent source Communication Agent Application Server Notification Service source Recording Agent source Component To search for events by the component type on which the events were reported select an option from the list Agent Application Server Database File System Web Console Rule Engine Notification
284. new logging policy select the Enable internal logs check box By default this check box is selected If it is not selected errors will still be reported in the syslog 4 In Log file path accept the default log file path or enter a new path for storing the log files Note You can specify the file system path where the log data and optionally session debug data will be stored or you can click the Default button to store the log data in the Default product path which is a folder under the directory of the installed ObserveIT Agent 5 Specify a threshold in MB for the Log file rotation Permitted values are in the range of 1 100 MB the default is 10 MB 6 Select the required Log level from the drop down list e Error includes only error conditions default setting e Warning includes all warning conditions plus error messages e Info informational messages plus error and warning messages e Debug debug level messages plus error warning and info messages 7 Click Save to save the settings Note The log level changes automatically without the need to restart the Agent Memory Management Note This feature is supported on Unix based server policies only ObservelT provides an advanced feature that enables a more efficient way of managing recorded data that has accumulated in the Agent s memory before it is sent to the Application Server Offloading data from the Agent s memory prevents the Agent from consuming too
285. nfiguration gt Server Groups Note The default server groups cannot be deleted and you cannot modify their members To add servers to a server group click the Add Servers link next to the relevant server group name Copyright 2015 ObservelT All rights reserved 3 4 5 6 7 8 9 Server Groups The Add Servers to Group window opens Add Servers to Group ServerGroup1 Search G 1 30f3 Server Name Version Monitor Status 4 c59 32 7 Uninstalled Disabled W2K8 2 5 8 0 0 Active W2K8 S8 QA10 5 8 0 0 Active Check All Clear All Add Checked Servers Selected Select the relevant check boxes of the servers that you want to add to the server group You can also use the Check All and Clear All links Note Servers that are already members of this server group will NOT appear in the Add Servers to Group window Only servers that are currently not members of this server group will be available for selection Click the Add Checked Servers button When you have finished click Close A message is displayed prompting you to acknowledge the action Click OK to proceed The Server Groups page displays the number of member servers next to the server group s name To view current members in a server group click the relevant server group s link The Servers page opens filtered to display the relevant server group and its members The Group field displays the name of the server group
286. ng e Enable Installation Security to prevent rough Agent installation e Install digital certificates and set up SSL communications in IIS e Prevent the usage and execution of specific applications programs or file types by using Group Policy Objects or GPO If required refer to the Microsoft articles e Using Software Restriction Policies to Protect Against Unauthorized Software e Howto Use Software Restriction Policies in Windows Server 2003 Copyright 2015 ObservelT All rights reserved 103 ObservelT Configuration Guide e Protect traffic to and from critical servers by implementing IPsec Policies If required refer to the Microsoft article IPsec Read and implement well documented security guidelines Renaming Application Servers You can rename the ObserveIT Application Servers in case their computer names were changed and you want to maintain their new name in the application The ObservelT Application Servers are listed in the Configuration gt Security page and thus can be renamed there To rename an Application Server 1 Navigate to Configuration gt Security The Security page opens displaying the Application Servers list Server Diary User Diary DBA Activity Activity Alerts Configuration Reports Threat Detection Security Session Privacy Admin Dashboard Console Users Application Servers identification Data Integrity _________________________________ S
287. ng Server Policy by clicking the Copy link next to the policy you want to copy The new Server Policy s properties page opens allowing you to make changes to the new policy Threat Detection Server Diary User Diary DBA Activity Activity Alerts Configuration Search Reports Server Policies Admin Dashboard Console Users Server Policy Template Identification Back to Server Policy Templates Linked Servers Servers Server Groups Name New Server Policy Template System Policy Server Policies Enable recording e Security Enable Identity Theft Detection U Alerts Enable API L System Events Show tray icon e identity Theft Delec on Restrictto RDP L Messages Enable hotkeys L Ticket Integration Enable key logging 2 License Optimize screen capture data size 2 amp Enable recording notification L All activity on this machine is record Moniin Log Setimage format Grayscale Server Compression v LDAP Settings Set session timeout minutes 15 Yl Storage Set keyboard frequency low 7 Archive Set continuous recording seconds 2 OFF 4 Type a descriptive Name 5 Configure the fields as required For further details see Configuring Server Policy Settings 6 Click Save The new Server Policy appears in the Server Policy Templates list Modifying Server Policies To modify a Server Policy 1 Navigate to Configuration gt Server Policies 2 Inthe Server
288. ng the configured alert rule conditions that triggered the alert For example Alert Rule Browsing SETTINGS x Description User browsing URLs containing Settings Profile Account etc or similar titles 2 Who Any user 6 Did What amp Windows Window title setting account manage profile OR URL prefix setting account manage profile On which Computer Any computer When Day of week Sunday Monday Tuesday Wednesday Thursday LJ From which Client Any client 122 Copyright 2015 ObservelT All rights reserved Activity Alerts Note You can print the Alerts list and or export it to Excel see Printing and Exporting Alerts Alerts can be deleted ONLY by ObserveIT Administrators see Deleting Alerts Viewing Alerts in Gallery Mode In Gallery mode you can browse through the screenshots of each alert while viewing the full alert details next to each screen Viewing alerts in Gallery mode provides a view of the user environment enabling you to see the context of exactly what the user was doing when an alert was triggered To view alerts in Gallery mode 1 Inthe Activity Alerts page click the el icon in the Show area The Gallery mode displays screenshots of each alert Server Diary User Diary Activity Alerts Activity Alerts Period Severity Al More Filters DBA Activity Last 1 Months v Activity Alerts Configuration Search Reports Threat Detection O Between 07 16
289. nitor Log LDAP Settings Storage 3 View the following information 228 Database type SQL Server Name of database server The name of the server hosting the SQL Server Connection account SQL Server or Windows Authentication Current DB size The actual volume of data currently in the database GB Note If configured Maximum DB Size shows the maximum space available for the database GB and the currently available percentage of free space Low DB space notification Not configured threshold showing the maximum disk space allocated for the database Note that the threshold applies to all the databases If required you can release disk space by running the archive process see Archiving Information To specify a different threshold click the Change button In the dialog box that opens specify a new threshold for maximum allocated disk space and click OK A system event will be generated when the database size contains more than of the allowed GB Low DB space notification settings Generate a system event when the database size contains more than out of the allawed GB To disable the system event clear the check box Generate a system event when the database size contains more than and click OK Number of servers in DB The total number of servers that are recorded in this database This includes old and inactive servers that have been uninstalled as ObservelIT never removes server d
290. normal CPU resources on the ObservelT Agents and normal network bandwidth utilization e Grayscale Client Compression requires additional CPU resources on the ObservelIT Agents for the conversion but utilizes less network bandwidth e The Color setting requires no additional CPU resources for compression however more data storage is required per screenshot on the SQL Server database and there is a much higher network bandwidth utilization up to 10 times greater than the default grayscale This setting is not recommended unless it is absolutely essential You can configure the recording color manually per server Agent from the Configuration gt Servers page or by using Server Group Policies to configure many servers Agents simultaneously To configure the recording color using Server Policies 1 Inthe Configuration gt Server Policies page click Create or select a server policy template default Windows based policy 84 Copyright 2015 ObservelT All rights reserved Configuring Server Policy Settings 2 Inthe System Policy section of the Server Policy Template page from the Set image format drop down list select the required image format Color Grayscale Server Compression or Grayscale Client Compression Server Policy Template Back to Server Policy Templates Linked Servers Name New Server Policy Template System Policy Enable recording r Enable Identity Theft Detection J Enable API Show tray ic
291. nt v Status Details A Period During last 1 Months v Between 12 30 2014 E and 01 07 2015 E 21 40 of 45 123 lt lt First lt Prev Next gt Last gt gt Received Code Category Name Server 1 6 2015 12 46 PM 1210 Tampering Agent installation files were tampered with W12 S12 D02 12 45PM 1610 Installation Uninstallation of Agent without a password wa W12 S12 D02 12 45 PM 1611 Installation Agent was unregistered W12 S12 D02 12 45PM 1202 Functionality Agent service has stopped W12 S12 D02 12 44PM 1304 Functionality Application Server is running W12 S12 D02 12 44 PM 1323 Functionality Rule Engine Service is OK W12 S12 D02 12 44PM 1329 Functionality Rule Engine Service has started W12 S12 D02 1 5 2015 11 06 AM 1301 Functionality Application Server is not working properly W12 S12 D02 11 06 AM 1330 Functionality Rule Engine Service has stopped W12 S12 D02 10 37 AM 1218 Tampering Agent offline data files were tampered with W12 S12 D02 10 35 AM 1602 Installation Agent Registration was successful W12 S12 D02 10 35 AM 1304 Functionality Application Server is running W12 S 12 D02 10 32 AM 1301 Functionality Application Server is not working properly W12 S12 D02 1 4 2015 5 46PM 1240 Recording Agent is now recording active sessions W2K8 S8 QA11 4 47PM 1204 Functionality Unrecorded Agent Sessions W2K8 S8 QA11 4 46PM 1201 Functionality Agent service has started W2K8 S8 QA11
292. nt less than Weeks AND Sessions greater than c Client IP Address less or equal Weeks Sapper greater or equal Machine Name contains Session End Time does not contain Session Start Time starts with Session Video Slides Count include list epen exclude list Domain Name Login Name User Authentication User Identity User Name Note Using the wildcard character in the beginning of a filter phrase means that the filter will ignore anything before the text you used Using the character at the end of a filter phrase means that the filter will ignore anything after the text you have used For example ZoRemote will include results such as Routing and Remote Access Server Setup Wizard Routing and Remote Access Remote Desktop Connection and so on Copyright 2015 ObservelT All rights reserved 269 ObservelT Configuration Guide At this point you may want to click the Preview button and view the results of the report making modifications to the filter as needed 9 Instep 4 of the report configuration wizard you can choose the order of the columns and configure the appearance of the report The list contains the same items that were selected in the first step Reports Report Report Name Latest Activities P Installed Software Step 4 4 Column order selection Servers Software Order Columns d Install Uninstall Jump to Step Sticky Notes Selectthe order ofthe columns in
293. ntegrity Security Alerts App Server Name ID Image Security Installation Security Last Updated W2K8 S8 D02 bf36813f efd3 4d47 b 73 ecd1278ba3ae Off Off 1 11 2015 System Events dry The Application Server Installation Security Password dialog box opens it ObservelT Admin Server Details Google Chrome 5 10 2 0 52 4884 ObservelT AdminApplicationServerInstallationSecurity asp Application Server Installation Security Password Require Installation Security Password When active ObservelT Agents can only be installed and uninstalled with the password specified here Require password to install an Agent Require password to uninstall an Agent Enter Password Confirm Password Cancel Update 4 Select one or both check boxes to require a password on installation and or uninstallation of the Agent 5 Enter the installation password twice to confirm 6 Click Update 7 Acknowledge the message to confirm the change After the configuration changes are made the Installation Security status changes to e On if passwords are required on both install and uninstall options e On Install only if a password is required only on Agent installation e On Uninstall only if a password is required only on Agent uninstallation Note You can always change the installation password or cancel it entirely by clicking the On link and making the required changes 110 Copyright 2015 ObservelT
294. nthe System Policy section of the Server Policy Template page select the Enable recording notification check box By default this check box is disabled Server Policy Template Back to Server Policy Templates Linked Servers Name m System Policy Enable recording Enable Identity Theft Detection Enable API Show tray icon Restrict to RDP Enable hotkeys Enable key logging Optimize screen capture data size Enable recording notification Set image format Set session timeout minutes Set keyboard frequency Set continuous recording seconds New Server Policy Template Cancel Save ve activity on this machine is record Default rayscale Server Compression 15 v Low Y OFF v v 3 Ifrequired you can edit the default recording notification message that is displayed next to the check box To revert to the default message click the Default button 4 Click Save to save the changes Enabling the recording notification message configures the yellow recording notification bar that appears on the desktop on each recording session clearly notifying the user that their actions are being recorded and monitored When disabled the default recording continues on the server but the notification bar on the desktop will not be displayed Setting changes will take effect on new user sessions after the current sessions are closed Copyright 2015 ObservelT All right
295. o understand the root cause of the errors and what corrective actions to perform You can click the System Events link to view all system events or you can click the Error link to view the event in the filtered System Events list where you can view expanded details including Additional Info For details see Investigating System Events and Viewing System Events To unregister the server you can click the Unregister link For details see Unregistering Servers You can filter the Servers list according to specified criteria including the server group name status activities which occurred on the server within the past 7 days For details see Filtering Servers Copyright 2015 ObservelT All rights reserved Servers Filtering Servers You can filter the servers displayed in the Servers list per specified criteria To filter the servers displayed in the Servers list 1 From the Group drop down list at the top of the Servers page select the server group for which you want to view servers All Servers Active Servers Windows Servers Unix Servers Windows Workstation Windows Gateway Windows ActiveX and so on By default All Servers are displayed Group All Servers v Server Name Status All v E More Filters Server Policy All v Agent Type All v OS Type All v OS Version All v Version All v Status Details All v Activities Data Loss Tampered With Data Loss IZI Tampered With Reset Show N nstaliea Unins
296. o automatic mechanism to delete older log files you must manually and periodically delete them when they are no longer current However you can schedule an automated script that will delete them for you automatically Log files have no operational dependency on the functionality of ObservelIT therefore you can delete older log files without losing any information To disable the monitoring of the log files 214 Copyright 2015 ObservelT All rights reserved Clear the Enable ObserveIT logging check box and click Save Monitoring Log Files Integrating Logs into SIEM Systems ObservelT can be integrated into your existing SIEM monitoring software to enhance real time alerting and reporting capabilities Integration support is provided with the HP ArcSight SIEM product by enabling the export of ObservelT log data to ArcSight CEF format All log files from ObservelT user activities DBA activity activity alerts and system events can be exported and integrated in the SIEM monitoring software SIEM integration will parse these files based upon text strings that appear inside the log Important For instructions on how to integrate ObservelT log data into the HP ArcSight SIEM product by using the CEF open log management standard see Integrating ObservelT with HP Arcsight CFF Log files must be located in a library to which the ObservelT Notification Service user has write permissions By default the log file location is C Progra
297. o bar displays a Refresh button to manually refresh the page and an Auto refresh button and options to automatically refresh the page every 5 10 or 15 minutes The easy to use Admin Dashboard provides a quick overview of system health just two clicks away from understanding the specific Agent event that occurred due to tampering or other errors see Walkthrough Two Steps to Agent Health Workflow for ObservelT Health Monitoring 1 2 3 4 5 Notification that health status has changed via the mini Admin Dashboard and email notification see Mini Admin Dashboard and Configuring Email Notification Settings for Events View the Admin Dashboard to analyze component statuses see Admin Dashboard Pinpoint components experiencing events Agent group Application Server or system service see Agents Application Servers and System Services Focus on an ObserveIT component and investigate status details and causes Drill down to the Agent to assess its operational status details see Drilling Down to Agent Details Copyright 2015 ObservelT All rights reserved 9 ObservelT Configuration Guide 6 7 Investigate Agent system events to understand the root cause see Investigating System Events Integrate system events into the organization s existing SIEM system Walkthrough Two Steps to Agent Health This topic describes how to assess restore Agent health in two steps using the Admin Dashboard
298. of a user session server name user session user name application window titles Unix commands executable names and more Monitored log files include an image URL for each recorded user session ObservelT creates two types of log files that monitor all user activity Windows and Unix based server activities and activity alerts and user logins on the servers User Activities log file and User Logins log file The User Activities log file comprises the following files 1 cmyyyymmdd log Monitors both Windows based and Unix based server activities This file is located under Directory 3 2 Alyyyymmdd log Monitors the activity alerts in the system This file is located under the Alerts Directory 3 exyyyymmdd log Monitors all Windows based server activities This file is located under Directory 1 4 unyyyymmdd log Monitors all Unix based server activities This file is located under Directory 1 212 Copyright 2015 ObservelT All rights reserved Monitoring Log Files The User Logins log file monitors user logins to all the servers This file named exyyyymmdd 1log is located under Directory 2 By default the monitor log files are saved to C Program Files x86 ObservelIT NotificationService LogFiles The user account used by the ObservelT Notification Service must have read and write permissions for the specified location Note When changing the default log folder location new session data will be stored in the new
299. ole Users Servers Identification Group All Servers v Server Name Status All Servers L L Server Groups More Filters Server Policies Security Alerts 1 10f1 System Events Server Name Server Policy Version Status Installation Last Activity identity Theft Detection w2k8 S8 D02 Manual W2K8 S8 D02 5 8 0 0 OK 1 6 2015 1 11 2015 Messages You can link the server to any Server Configuration Policy at any time Copyright 2015 ObservelT All rights reserved 61 ObservelT Configuration Guide Configuring Server Settings By default all servers are automatically configured by one of the default Server Policy Templates Server Policies are sets of configuration options that control aspects of how a monitored server is configured Any change to a Server Policy will affect all linked servers However you can also manually change server configuration settings for individual servers To change the configuration settings for an individual server you must first unlink the server from the Server Policy to which it was linked as a result the server status will change to Manual As a general rule it is recommended to use Server Policies which makes the task of configuration much easier By using Server Policies the administrator can configure one set of recording settings and apply these settings to many monitored servers at the same time Server settings can apply to Windows based server policie
300. om and how often emails will be sent in the event of an alert By using configurable policies for alert notifications they can be easily edited for example by changing the email address and applied to multiple alert rules Every Alert rule is associated with a single notification policy Note Notification policies are available for selection in the Activity Alert Rules page When defining an alert notification policy see Defining Alert Notification Policies administrators can specify when and how often recipients will receive the email notification by selecting one of the following options e Email on every alert default frequency e Send digest email no more than once every X minutes e Send a daily digest email at a fixed time every day for example 08 00 AM The following examples show the email notification that users might receive when an alert is generated Note the following e The severity of the alert is indicated by a colored bar on the left Red High Orange Medium Yellow Low e Clicking the View Details button opens the maximized view of the alert in slideshow mode with the alert s details expanded e Clicking the Watch Video button launches the video player for this session at the time stamp of this alert Example of Individual Alert Email is admin rights Alert ID 10061327 Who Did What Ran application with permission level False On Which Computer c63 64 10 When Sunday 6 29 2014 4 38 PM From Whic
301. on The ObservelT Agent service has reported that installation files were tampered with Email Sent No Additional Info Total fles that were tampered with File C Program Files ObservelTObservelTAgen bin redcl exe has been missing Remediation Status New o v Comment Add Comment Assess the problem and perform the required corrective action Go to the directory in which the files are stored shown in Additional Info and verify what happened see if the file is missing or has been changed If the file is missing it is recommended to reinstall the Agent with the latest software version used or copy the file from another location If the file has been modified then correct it as needed When you are finished resolving the event the Admin Dashboard displays the Agent group s status as OK green The mini Admin Dashboard is also error free observe it l Admin Dashboard 2 0 Server Diary User Diary DBA Activity Activity Alerts Reports Threat Detection Admin Dashboard ee Recent statistics based on Past 7 days Updated 1 6 2015 10 38 PN gt Auto refresh a OFF Console Users identification Servers IA Server Groups o atest version 4 An a li 2 Recently installed Server Policies Security Alerts System Events Identity Theft Detection Group Agents Status Messages W2K8 S8 QA11 Ticket Integration Windows Servers X 860 Recently uninstalled Notification Health Alert Rule Service Monitoring Engine License
302. on Y Restrictto RDP mj Enable hotkeys E Enable key logging 2 Optimize screen capture data size Enable recording notification 7 All activity on this machine is recordi Set image format Grayscale Server Compression v Color p Set session timeout minutes Grayscale Server Com pression Set keyboard frequency Grayscale Client Com ayscale Client Com Set continuous recording seconds OFF Y Following is an example of a Grayscale recording ObservelT Session Player Windows Internet Explorer lol xf E microsoft SQL Server Management Studio Express File ER wew Query Tools window Comenunty Help Dawe Oy E3 GF a a d A DDR Gee O o aa sorer tems v a aZ OEO E 2 _ WIN2003 O1TSR QLQuery3 sql Summary update dbo MonitorLogConfiguration set directory C LogFiles Observell Configura identification Servers Server Groups Server Policie App Servers Messages WIN2003 OITSRYV_ Adihinisti a e Rios observe it SOM javascript GotoPreviousSameTitle rot PF LL h internet Fa 100 5 Copyright 2015 ObservelT All rights reserved 85 ObservelT Configuration Guide Following is an example of a color recording Sa Microsoft SQL Server Management Studio Express Ble Edk yew Query Tools Window Communty Help rD ZA i DL tew Query Dy Ea GF GY aS d Be oS Pe ieor 2 Gu observer gt Bexcate E AE E ae CR GDS EE ES E
303. onal statuses and system events are color coded in ObservelT per severity for example red is the highest and may require immediate attention This enables ObserveIT administrators to quickly identify events and statuses across the system and respond accordingly Note that every change on a local Agent triggers a system event so that some events are normal OK status and do not require attention such as when the Agent service is started A mini Admin Dashboard located on the upper right of the Web Console is viewable from every page in the Web Console It provides a quick preview of the Agents operational statuses and quick access to the full Admin Dashboard For further details see Mini Admin Dashboard ObservelT administrators can access the Admin Dashboard by navigating to the Configuration gt Admin Dashboard tab of the Web Console or by clicking on the mini Admin Dashboard observe it l Admin Dashboard 8 6 2 AMini Admin Dashboard Server Diary User Diary DBA Activity Activity Alerts Configuration Search Reports Threat Detection Admin Dashboard Deployed Agent Versions Portal anaras Recent statistics based on Past 7 days Updated 1 11 2015 11 25 AM Auto refresh m ON Info Bar Console Users Identification Servers oO sf 7 Server Groups TA EEE Latest version 2 7 Recently installed li a System Services Portal Server Policies ae i X ecently uninstalle Notification Health Alert Rule EJ Earlier
304. only if it differs from the previous screen in graphic or metadata If a recording policy was configured specifying applications or URLs and users or user groups that should not be recorded these will not be recorded if they are in focus during the idle time However if a metadata only recording policy is preconfigured this feature will be disabled automatically Important You must be aware when using Continuous Recording mode since it could cause a considerable increase in the database size It is CPU intensive and it should not be used for Terminal Services or Citrix servers that host many concurrent sessions You can configure Continuous Recording mode manually per server Agent from the Configuration gt Servers page or by using Server Group Policies in order to configure many servers Agents simultaneously To configure continuous recording using Server Policies 1 Inthe Configuration gt Server Policies page click Create or select a server policy template default Windows based policy 2 Inthe System Policy section of the Server Policy Template page the Set continuous recording check box is set to OFF by default Server Policy Template Back to Server Policy Templates Linked Servers Cancel Save Name Default Windows based Policy m System Policy Enable recording v Enable Identity Theft Detection Enable API Show tray icon Restrict to RDP Enable hotkeys Enable key logging Optimize
305. ordpad Application wordpad http WIN QA2 4884 ObservelIT Slideviewer aspx Sessi10nID 4EBB1BB5 3BB1 49F8 B089 9C6302954D08 amp Disp1ayonAir false amp SSID 69EEDOC7 E725 4454 AD7 8 7 9DBD9807F44 lang en 2014 09 04T10 57 42 10000017 Unix command name and switch Alert will be generated when command ps will be executed with switch e f F a u and x This is a High severity alert and I would like to be alerted when users are using these commands Medium Executed command ps aux Executed command with switch ps aux http wIN QA2 4884 ObservelIT ActivityAlerts ActivityAlerts aspx keywor d 100000174 amp vi ewmode Full fakaecl3 483d 476e b825 859f5d88f9ac oit laurent observeit sys local c59 32 7 observeit com root n a http WIN QA2 4884 ObserveIT Uni xCommandsvVi ewer aspx Sess7OnID FACAEC13 483D 476E B825 859F 5D88F9AC amp DiIsplayonAir false amp lang en bin ps ps aux Enabling Monitoring of ObservelT Log Files To enable the monitoring of ObservelT log files 1 Navigate to Configuration gt Monitor Logs Copyright 2015 ObservelT All rights reserved 213 ObservelT Configuration Guide 2 Click the ObservelIT Logs tab Server Diary User Diary DBA Activity Activity Alerts Configuration Search Reports Threat Detection ObservelT Logs SIEM Log Integration Admin Dashboard Console Users ObservelT Logging Configuration identification Activate ObservelT logging Servers Enable ObservelT
306. ot sto Job will t no reply was given Administrator WIN2003 8 1 2010 05 37 39 PM SRV1 5 37 31 PM Do not sto Job will t lam just checking the Administrator WIN2003 8 1 2010 05 26 48 PM Event Viewer SRV1 5 25 14 PM Do not sto Job will t no problem Administrator WIN2003 8 1 2010 05 24 48 PM SRV1 5 24 06 PM Do not sto Job will t ok Administrator WIN2003 8 1 2010 05 23 39 PM SRV1 5 23 18 PM specific servers 3 You can filter this display by using a specific server name Click the E button to browse for Copyright 2015 ObservelT All rights reserved Managing Messages To view messages in the Server Diary 1 Inthe Server Diary gt Activities View you can view messages in the sessions list Search for the required server and user session then expand it to view the messages Session Duration Login User Server Client Slides Video 8 1 2010 5 43 PM 5 50 PM Administrator n a F WIN2003 SRV1 local 29 Printthis information Print detailed information Message Job will take approx 7 hours D Reply Ok just checking the security Acknowledge Yes Ok just checking the security log Message Enter the name ofthe person tha Reply No Reply A ObservelT Message Do not stop the backup job ObservelT Message Who has approved access to this server Program Manager Remote Desktops 2 Add New Connection cara ca rat ea 2 Inthe Server Diary gt Messages View you can view all instances of
307. p D Certificate Enrolment Requests E C Smart Card Trusted Roots amp O Trusted Devices 5 Grant the certificate full privileges for the Everyone group A Permissions for ObservelT Certificate private keys Secunly Group of user names BR SYSTEM 82 Administrators QIW2K Administrators Bo 1 5 5 0 235685 Pem itsions for Everyone Allows Dery Full control Read Special penmesions For special permissions or advanced settings Advanced check Advanced Step 3 Enabling Image Security on the Application Server To enable image security on the Application Server 1 Navigate to Configuration gt Security 2 Inthe Security tab if required select the Enable Session Data Integrity check box Copyright 2015 ObservelT All rights reserved 107 ObservelT Configuration Guide 3 4 5 6 108 Important By default the Enable Session Data Integrity check box is disabled When this check box is enabled a security check is run on all sessions in the database If the security check finds any sessions that may have been tampered with and could therefore be corrupted a 35 warning icon will appear next to the relevant sessions in the Server Diary or User Diary or in the video replay of the Session Player Under Image Security click the Off link Server Diary User Diary DBA Activity Activity Alerts Configuration Search Threat Detection Security Session Privacy Admin Dashboard Console Users
308. pecify in MB GB the maximum volume of data that can be stored in the offline storage folder for each recorded machine regardless of the number of sessions The default size limit is 10 gigabytes Note that if you do not select this option the offline storage per recorded machine is unlimited Limit per recorded session Select this option to specify in MB GB the maximum volume of data that can be stored in the offline storage folder for each recorded session The default size limit is 100 megabytes Note that if you do not select this option the offline storage per recorded session is unlimited Click Save to save the changes Setting changes will take effect on new user sessions after the current sessions are closed Identification Policy Note This feature is supported on both Windows and Unix based server policies When ObservelT s Identification Services are enabled and configured Forced Identification users are required to identify themselves by a secondary log on prompt when logging on to any ObservelT monitored server For further details see Identification Services This topic describes how to configure identification policy settings for Forced Identification users You can configure these policy settings manually per server Agent from the Configuration gt Servers page or by using Server Group Policies to configure many servers Agents simultaneously To configure identification policy settings using Server Policies
309. pens enabling you to define the ticketing system and test the connection settings Ticketing Policies Ticketing Systems Ticketing System Settings Back to Ticketing Systems Connection Settings Ticketing System SeniceNow System Name Service URL User Name Password Validation Message Failed to validate ticket number P Default Validate User ID in ticket Validate Server ID in ticket Test Connection 4 Inthe Connection Settings section specify the following information a From the Ticketing System drop down list select either ServiceNow built in or Custom Integration depending on the type of ticketing system you want to create b In System Name specify a name for the new ticketing system c In Service URL enter the URL to the server on which the ticketing system built in is located or to the Web Service that was used to create the ticketing system for a custom integration d If you are configuring a built in ticketing system enter your User Name and Password Note that these fields are not mandatory for a custom integration e Inthe Validation Message text box enter a message which the user will see in the case of an invalid ticket number or accept the default message by clicking the Default button f If you are configuring a built in ticketing system you can choose the relevant check box to Validate the User ID in ticket and or Validate Server ID in ticket when va
310. pic before you attempt to create or edit alert rules About Conditions Each condition is evaluated as part of the rule Each condition comprises e Field that is being tested For example Server name e Operator for example is is not contains e Value s to test against For example SRV DB LAP Note that you can enter multiple values separated by commas Rules for Configuring Alert Conditions e For each of the Who Did What sections you can configure a number of alert conditions e To define an additional condition click the icon To delete a condition click the adjacent 9 icon e You can sort the order of your conditions by clicking the icon e The Who Did What sections always relate to each other with the AND logic For example O me e Copyright 2015 ObservelT All rights reserved 141 ObservelT Configuration Guide AND Ran application Regedit AND On which computer Computer is DBSVR1 e You can choose whether all conditions within a Who Did What section must match by using the AND logic or whether any of the conditions may apply by using the OR logic You cannot configure AND and OR conditions within the same criteria section To switch between AND and OR simply click on the text e Anegative condition for example Window title does not contain x y z means that the Window title does not contain x nor y nor z e The system should t
311. play Privacy Protection identification Servers When Session Replay Privacy is enabled any attempt to replay a user session will require a password Server Groups W Enable Session Replay Privacy Protection Server Policies Enter Password e max 14 characters Security Confirm Password Alerts System Events Identity Theft Detection 2 Select the Enable Session Replay Privacy Protection check box 3 Enter the Session Replay Privacy password twice to confirm 4 Click Save To disable Session Replay Privacy protection and or change the password 1 Inthe Configuration gt Security gt Session Privacy tab enter the Session Replay Privacy password and click the Unlock button Server Diary User Diary DBA Activity Activity Alerts Configuration Search Reports Threat Detection Session Privacy Admin Dashboard Console Users Session Replay Privacy Protection identification This page is password protected Enter the session replay password to unlock this page Servers Server Groups Server Policies im Security When Session Replay Privacy is enabled any attempt to replay a user session will require a password Alerts Enable Session Replay Privacy Protection System Events Enter Password max 14 characters identity Theft Detection Confirm Password Messages Ticket Integration License 112 Copyright 2015 ObservelT All rights reserved Implementing Security
312. ple yes oit logon Click Add The group name will be verified against the Active Directory domain therefore you must make sure that the group already exists in the domain To enable specific groups from this domain to log on please enter the Active Directory group name i e Help Desk or Domain Admins You can add multiple groups to this list Domain Name Group Name Enable Group OIT DEMO LOCAL Add Domain Group Created Date C OlT DEMO LOCAL yes oitlogon M2 1 2013 4 Click Save As a result when user3 attempts to authenticate they will be granted access to the desktop but user1 and user2 will not be able to gain access to the desktop because they are not members of the yes oit logon group 48 Copyright 2015 ObservelT All rights reserved Identification Services Configuring Local ObservelT Identification Users After creating Forced Identification users you must configure an authentication target This authentication target can be one or more Active Directory Identification targets or domains or Local ObservelT Identification Users When no central Active Directory is available against which ObservelT Identification services can authenticate you will need to use local ObservelT targets for user authentication Note This feature does NOT create any actual local users It just configures ObservelT to check if the credentials of a Forced Identification user at log on match those of any Local Ob
313. plemented by customers according to their own requirements Note ObservelT provides a template project as an example of a Web Service to help customers implement the integration with their own IT ticketing system For further details refer to the ObservelT Ticketing Integration Guide The following procedures describe how to e Create new ticketing systems e Edit the parameters of existing ticketing systems e Delete ticketing systems To create a new ticketing system 1 Navigate to Configuration gt Ticket Integration 2 Click the Ticketing Systems tab The Ticketing Systems tab opens displaying a list of all the currently existing ticketing systems Each ticketing system has a name and a URL to the server on which it is located Server Diary User Diary DBA Activity Activity Alerts Configuration Search Reports Threat Detection Ticketing Policies Ticketing Systems Admin Dashboard Console Users Ticketing Systems Settings identification ae Server Groups p System Name Ticketing System Server URL Server Policies Custom Web Serice Custom Integration http localhost 4884 Obs ervelTApplicationServer Tick Delete Security New System ServiceNow https crossfuzdev s ervice now com Delete Alerts System Events Identity Theft Detection Messages Ticket Integration 3 Click the Create button Copyright 2015 ObservelT All rights reserved 209 ObservelT Configuration Guide The Ticketing System Settings page o
314. plications check box Note that no video will be recorded Note To remove applications from the list select them and click the Remove button 4 To activate recording video and metadata for specific applications do the following a Select the Record only the following applications option Record only the following applications Ly To activate recording video amp metadata for a specific application please select the process name from the list and click Add You can add multiple applications to this list Applications Internet Explorer iexplore 7 Add Record URL www google com Exact Match Add url www google com Remove Record metadata for all applications regardless of whether they appear in the list Video will be recorded only for applications that appear in the list Copyright 2015 ObservelT All rights reserved 99 ObservelT Configuration Guide b From the Applications list select an application for which you want to enable recording and enter the application s URL in the text box You can specify part of the URL path or the exact URL by selecting the Exact Match check box Note that although the application will be added it will only be recorded when the user accesses the specified URL c Click Add Repeat step 2 for each application that you want to include in the list d For example by typing www google com and clicking Add www google com will be added to the
315. policy Copyright 2015 ObservelT All rights reserved 77 ObservelT Configuration Guide 2 Inthe System Policy section of Server Policy Template page clear the Show tray icon check box to hide the ObservelIT Agent tray icon By default this check box is enabled Server Policy Template Back to Server Policy Templates Linked Servers Cancel Save N New Server Policy Template ame System Policy Enable recording e Enable Identity Theft Detection Enable API 4 Show tray icon D Restrict to RDP Enable hotkeys Enable key logging Optimize screen capture data size Y Enable recording notification 2 All activity on this machine is record _ Default _ Set image format Grayscale Server Compression v Set session timeout minutes 15 v Set keyboard frequency Low k Set continuous recording seconds OFF k After the setting changes take effect no icon will be displayed in the system tray Enf 18 59 Important Notes e Disabling the Show tray icon check box hides the ObserveIT Agent icon but all recordings on that Server will continue e In addition to hiding the tray icon you might also want to hide the ObservelT Agent program from the Add Remove Programs applet in Control Panel e Setting changes will take effect on new user sessions after the current sessions are closed Restricting Recording to RDP Sessions Note This feature is supported only on Windows based server poli
316. predefined limit rotation occurs that is the file content is moved to a renamed backup file and new log and debug data is stored in the obit 1log file Four log level options can be configured at the policy level to trace Agent activities error warning info or debug In earlier versions of ObservelT all internal messages and debug information were written to the syslog The syslog is now used to store only critical system error log level and above errors all other events are written by default to the obit 1log file or can be configured at the policy level In the ObservelIT Web Console you can configure a server policy for session logs per server Agent from the Configuration gt Servers page or by using Server Group Policies to configure many servers Agents simultaneously To configure session logs with session level information using Server Policies 1 Inthe Configuration gt Server Policies page select the required server policy template Unix based policy or click Create to create a new server policy 100 Copyright 2015 ObservelT All rights reserved Configuring Server Policy Settings 2 Inthe Server Policy Template page expand the Logging amp Debugging section by clicking the n icon El Logging amp Debugging Logging amp Debugging Enable internal logs Log file path opt observeit agent run obit log Default Log file rotation every 10 MB Log level Eror v 3 To enable a
317. r which in effect says I do not want to receive emails when I connect from this client Please approve this user client pairing If the pairing request is approved by the administrator after receiving a confirmation email that the request was approved the user will no longer receive emails about activity for this specific user client pairing If the administrator rejects the pairing request the user receives a confirmation email that the request was rejected and will continue to receive email notifications about this user client activity In addition a new pairing request event is added to the Events table with a Not Approved status see System Events For further details see Identity Theft Detection Creating Pairing Requests Users can create as many pairing requests as required Note An administrator can manually define and approve user client pairs without waiting for pairing requests For example if the IT administrator knows that the user OBSERVEIT danny s desktop is OITDANNY he can pair this user client before Danny receives any email notifications To create a new pairing request 1 Navigate to Configuration gt Identity Theft Detection 2 Click the Pairing Requests tab Configuration Pairing Requests Settings Admin Dashboard Pairing Requests Console Users identification Add User Client Pair Servers Add Server Groups S Pending Requests Server Policies Security Domain Login Client Alerts
318. r Groups Name Server Policies Status Security Description Active Inactive Alerts Severity Medium v cate eee Notification policy Select Notification Policy O identity Theft Detection Messages Ticket Integration License iL Who Currently Any user SMTP Settings TT 6 Did What on Windows and Unix v LDAP Settings Storage Logged in a Archive Saved Sessions Audit z On Which Computer Currently Any computer System Log Latest Sessions When Currently Any time W2K8 S8 QA0 admini From Which Client Currently Any client Quick Help Installation Guide User Guide Cancel Configuration Guide 2 Define the alert rule details as follows Description Specify the name for the alert rule For example Suspicious Unix activity after working hours Description Provide a description for the rule that explains its meaning or motivation For example Warn about irregular access to database servers and suspicious activity over the weekend Notification Select a notification policy that defines who should receive email notifications Policy when an alert from this rule is triggered and how often For example Daily digest for Division Managers To define the policy click the icon For details see Defining Alert Notification Policies There is no default notification policy New Alert Rules are created with no policy wh
319. r when a pairing request is made or during the health check monitoring of the Agent Notification Service Application Server or Web Console For example when ObservelT Identity Theft Detection is configured see Identity Theft Detection administrators can verify that users are authorized to log in from the specified client computers and to the specified servers After a user logs in to a server from the desktop the ObservelIT administrator sends an email to the user confirming the login and event type If identity theft is suspected the user reports the suspicious login event to the administrator and a high severity alert is triggered ObservelT administrators can view and manage system events from the Configuration gt System Events page in the Web Console The System Events page displays a list of the currently defined system events according to the specified severity and filter criteria Server Diary User Diary DBA Activity Activity Alerts Configuration Search Reports Threat Detection System Events System Events Notification Policy Admin Dashboard Console Users System Events Identification Servers Severity Server Groups More Filters Server Policies Reset Security Alerts 1 20 0f55 123 Next gt Last gt gt System Events Received Code Category Name Server Identity Theft Detection 4 7 2015 Messages 3 01PM 1304 Functionality Application Server is running W2K8 S8 QA11
320. rd when installing an Agent In this case Require password to install an Agent is changed from Disable to Enabled e An Agent security installation password was changed Session Privacy modifications For example Session Replay Privacy Protection was changed to Enabled Copyright 2015 ObservelT All rights reserved Auditing Access to the Web Console To view configuration changes in the Web Console 1 Navigate to the Configuration gt Audit gt Configuration Changes tab 2 3 Security Nets Reset System Events 1 100f10 Identity Theft Detection z A Time Console User Client IP Area Item Action Messages 12 28 2014 Ticket Integration E 3 16AM Admin 10 1 100 133 Application Server W12 S12 D01 Changed License Require password to install an Agent Changed to Enabled SMTP Settings Require password to uninstall an Agent Changed to Enabled Tore Agent Installation Security Password Changed to LDAP Settings E 3 16AM Admin 10 1 100 133 Data Integrity Changed Storage Session Data Integrity Changed to Enabled Archive 3 15AM Admin 10 1 100 133 Server Policy Default Unix based Changed Saved Sessions E 3 14AM Admin 10 1 100 133 Server Policy Default Windows b Changed Audit E 3 14AM Admin 10 1 100 133 Server Policy Default Windows b Changed System Log Identification Policy Enforce Login Changed to Do not enforce login Identification Policy Save last used login Changed to Disabled Quick Help 3 14AM Admin 10 1
321. rdless of the user s domain 3 To remove users groups from the list select them and click Remove 4 To display the message to a limited number of users groups select Send message only to the following users 5 To add specific users groups to the Include list Select User Group then enter or select the required Domain Name from the list and specify the user s Login name group s Group Name and click Add The specified users groups are displayed in the list 6 To remove users groups from the list selecting them and click Remove To configure the message expiration and display schedule 1 Inthe Display Message Duration section of the Advanced settings you can configure the message expiration and display schedule 196 Copyright 2015 ObservelT All rights reserved Managing Messages By default the message will be displayed forever until disabled or deleted by an ObservelT administrator Display Message Duration Forever Forthenext 1 hours Up to January 2015 Display message only once Do not select this check box if you always want this message to be displayed a Change the display interval of the message by selecting one of the options Forever For the next x hours or Up To date b Ifyou want to display the message only once select the Display message only once check box When you have finished configuring the Advanced settings click the Save button at the bottom of the page
322. red client Secondary Identification from a paired client machine This user client pair is valid Secondary login from Identity Theft A user logged in via ObservelT unpaired client Secondary Identification from an unpaired client machine This Login from unpaired client Identity Theft Low A user logged in from an unpaired client machine This user client pair is NOT valid user client pair is NOT valid Login with no valid pair Identity Theft Medium A user logged in from an unpaired client machine This user client pair is NOT valid and this user is already paired with another client 174 Copyright 2015 ObservelT All rights reserved System Events Secondary login withno Identity Theft Medium A user logged in via ObservelT valid pairs Secondary Identification from an unpaired client machine This user client pair is NOT valid and this user is already paired with another client 1106 Suspected login reported Identity Theft High A user reported a suspicious use of his credentials Suspected secondary login Identity Theft High A user reported a suspicious use of his credentials via ObservelT Secondary Identification 1108 User client pairing request Identity Theft Low A user sent a user client pairing request 1109 Failed to send an email to Identity Theft Medium Failed to send a suspicious use of user credentials email to the user Notification Service Events Code
323. report will focus the columns and column order on the Servers object 5 In step 1 of the report configuration wizard you can select the columns to display in the new report specifying the Server Session and User For example select the User Name Domain Name and Login Name for the user as well as the Server Name Session Start End Date And Time Slides Count and Session Video link Other column types can be selected if required Copyright 2015 ObservelT All rights reserved 267 ObservelT Configuration Guide 6 When you have finished designing your report click Next Reports Reports Latest Activities Report Report Name Installed Software Step 1 4 Column selection Server Software Install Uninstall Jump to Step Select Columns v Sticky Notes f i i Select the columns you wish to include in your report Latest Sessions Check All Clear All W2K8 S8 D02 Admini Server Check All Clear All Quick Help W Server Name WU Server Policy Name U Installation Date U Recording Status Server Version WU Server Policy ID Installation Guide Sessions Count W Server Last Activity Date U Server ID User Guide Gii J Operating System Name Session Check All Clear All J Is Session Alive J Machine Name J Session End Time _ Session Start Date And Time U Session Start Date J Client IP Address WU Session Video J Session Start Time J Slides Count WU Session End Date And Time U Client Name _ Session End
324. requency Recurs every Once E Run Now Note Action will be executed immediately on Save Run on sunday hi at 1 00 PM K 240 Copyright 2015 ObservelT All rights reserved Archiving Information Specifying the Type of Data to be Processed by the Archive Job In the Data Type section of the Schedule Archive page you select the type of data that will be processed by the archive job By default sessions from the All Servers group will be processed but you can add or remove individual servers or Agents and or server groups according to your requirements You can also configure the processed sessions by user accounts e To configure the processed sessions by servers click the button next to the Server field select any server you want to add to the list and then click Add The server will be added to the list e To configure the processed sessions by user accounts click the button next to the User field select any user you want to add to the list and then click Add The user will be added to the list Data Type Filter data by the following Servers or Server groups Servers Groups All Servers Name Type Version Status Date C All Servers Group Check All Clear All Hote Sessions from these servers or server groups will be archived Filter data by the following users Note If no user is entered the action will be performed on all users DomainiUser User DomainiUser Check All Clear A
325. rieve requests from specific domains logins and or clients To search for specific pending requests specify your search criteria in the fields provided above the list and click Search 188 Copyright 2015 ObservelT All rights reserved Identity Theft Detection Configuring Identity Theft Settings Important When Identity Theft Detection is enabled in ObservelT in order for users to receive email notifications SMTP must be configured and the LDAP field name must be defined on the LDAP server For further details see SMTP Configuration and LDAP Settings Configuration To send email notifications to users about logins and pairing requests you can e Specify the email addresses to which emails will be sent upon new pairing requests e Define the default period of time for which the approved pairing requests will be valid e Select the server policies on which these Identity Theft Detection settings will be enabled e Preview and edit if required the email notification text that will be sent to the specified email addresses Defining Email Addresses To define the email addresses to which the specified email will be sent upon each new pairing request 1 Navigate to Configuration gt Identity Theft Detection Copyright 2015 ObservelT All rights reserved 189 ObservelT Configuration Guide 2 Click the Settings tab observe it l Admin Dashboard 3 4 Server Diary User Diary DBA Activity Activity Alerts Configuration
326. rigger a new alert if any of the matched conditions are different from previously triggered alerts For example when the condition User ran application Regedit SOL Manager or CMD is defined an alert is triggered if the user runs Regedit or CMD Defining the Who Conditions In the Who section of the Create Alert Rule page you can define or edit the individual s or groups of users who performed the activity on which an alert will be generated To define the Who conditions ho 2 e or the Edit Threat Detection 1 Open the Who section by clicking icon Activity Alerts Configuration Search Reports User Diary DBA Activity Server Diary Activity Alert Rules Alert Notification Policies Create Alert Rule p Alert Rule Details Name Status Description Active Inactive Severity Notification policy t Notification F v Medium 2 who Login account domain name is v or Secondary user domain nam is v or Login secondary user doma is v Important Before you begin make sure that you have read the Rules for Configuring Alert Conditions described in Understanding the Logic for Triggering Alerts 2 To define the individual s or groups of users who performed the activity on which an alert will be generated select the relevant user type options as described in the following table 142 Copyright 2015 ObservelT All rights reserved
327. rom 02 10 2011 to 01 10 2012 P You have a private key that corresponds to this certificate Issuer Statement Personal store contains Alternatively if you do not have an online CA or simply want to test this configuration without obtaining a trusted certificate you can also use the MAKECERT utility from Microsoft which can be downloaded separately or as a part of the Microsoft Windows SDK from the Microsoft Download Center Microsoft Window SDK for Windows 7 and NET Framework 4 After you have obtained the MAKECERT utility run the following command to obtain a self signed certificate makecert n CN ObservelT Certificate sr LocalMachine ss My a shal sky exchange pe r m 12 sp Microsoft Strong Cryptographic Provider sy 1 len 2048 Note Use this procedure only for testing purposes After the Digital Certificate is obtained it will be used in the process of encrypting and decrypting the images Important It is very important that you maintain a proper backup of this Digital Certificate and the associated Private Key This can be done by exporting it to a PFX file and keeping it in a safe place The PFX file is also used to import the Digital Certificate and the associated Private Key to additional Application Servers Step 2 Installing the Digital Certificate To install the certificate using the Internet Information Services IIS Manager Microsoft Management Console MMC 1 Goto Start gt run
328. roups Server Policies Security Alerts System Events Identity Theft Detection Messages Server Diary w2ks8 ss D02 User Diary DBA Activity Activity Alerts EEEL Servers Servers Reports Threat Detection Server Name Group All Servers v Status All amp More Filters lt PP 1 10f1 Server Name Server Policy Manual W2K8 S8 D02 Version Status 5 8 0 0 OK Installation Last Activity 1 6 2015 1 11 2015 Linking a Server to a Server Policy Template from the Server Properties Page When a Server is linked to a Server Policy Template the name of the template is visible in the Servers list page and in the Server s property page To link a Server to a Server Policy 1 Navigate to Configuration gt Servers 2 Click the relevant server to open its property page Admin Dashboard Console Users identification Servers Server Groups Server Policies Security Alerts System Events Identity Theft Detection Messages Ticket Integration License Server Diary User Diary DBA Activity Activity Alerts Wene E Search Servers W2K8 S8 D02 5 8 0 0 Back to Servers List Currently server is linked to the Default Windows based Policy configuration policy In order to enable the Save button you must first unlink the policy Server Server ID Server Name W2K8 S8 D02 Modify Name Server Policy Template App Server Enable recording Enable Iden
329. rs Active Servers Windows Servers or Unix Servers Note You must add at least one server Default servers are not provided To remove servers from the list of servers on which the ticket policy will be applied select them and click Remove 6 Inthe Select Users specify which users will receive the ticketing policy message upon logging in to the monitored servers By default the message will be displayed to any user that logs on to the selected servers Select Users Send message to any users logging on to above servers To exclude specific users from logging on please enter Domain Name Login e g administrator or OBSERVEITdanielp Exclude Domain for all Login User observeit sys local nd A Add Domain User Created Date Type Send message only to the following users To include specific users from logging on please enter Domain Name Login e g administrator or OBSERVEITdanielp Include Domain for all Login User Y Domain User Created Date Type Copyright 2015 ObservelT All rights reserved 207 ObservelT Configuration Guide 7 To exclude specific users from receiving the ticketing policy message you can add them to the Exclude list a From the Exclude drop down list select User or Group b If you selected User enter the Domain or select it from the list specify the user s Login name and click Add c Ifyou selected Group enter the Domain Name or select i
330. rtant metadata information such as the date and time of user sessions server name user name application window titles Unix commands and executable names In addition the log files include image URLs for each recorded user session You can use third party monitoring and management tools such as Microsoft System Center Operation Manager or similar products from leading vendors such as IBM QRadar HP ArcSight Splunk McAfee SIEM ELM to parse the log files and create events triggers and alerts based on text strings of information that appear inside the log files ObservelT can thus be integrated into your existing monitoring software and provide very important real time alerting and reporting capabilities Note In this version of ObservelT integration is provided with the HP ArcSight SIEM monitoring software by enabling the export of ObservelIT log data in ArcSight CEF format For information about how to configure alert or event logging with Microsoft System Center Operation Manager 2007 refer to the Knowledge Base article Creating security alerts of abnormal user actions on Windows servers using Microsoft System Center Operation Manager and ObservelT The following topics describe e Monitoring ObservelIT Logs e Integrating Logs into SIEM Systems Monitoring ObservelT Logs The monitor log files record all activity as it happens on the servers These log files contain important metadata information such as the date and time
331. rts Activity Alerts Period Last 1 Months OBetween 07 22 2014 and 07 30 2014 Severity All v Alert rule All v More Filters Alert content keyword 7 Reset Show B ay D xE Se 1 7of7 C Time Alert Login User Server Video 7 20 2014 O amp 12 17PM Y Browsing SETTINGS pages micky n a OBSERVEIT PM ra 2 Who OBSERVEIT PM micky View rule details Did What Opened wind Signed Out LinkedIn Google Chrome ted URL https www_linkedin com uas logout session_full_logout amp csrfT oken ajax 3A8109911951292998364 amp trk nav_account On which Computer OBSERVEIT PM CJ From which Client OIT MICKY 10 1 100 100 When Sunday 7 20 2014 12 17 PM Alert ID 10000006 O B 12 17 PM Browsing SETTINGS pages micky n a OBSERVEIT PM a A Who OBSERVEIT PM micky View rule details Did What Opened window Account amp Settings LinkedIn Google Chrome Visited URL https www_linkedin com setting 3 On which Computer OBSERVEIT PM CJ From which Client OIT MICKY 10 1 100 100 When Sunday 7 20 2014 12 17 PM Alert ID 10000005 O amp 12 16 PM Browsing SETTINGS pages micky n a OBSERVEIT PM ra iL Who OBSERVEIT PM micky View rule details Did What Opened windov General Account Settings Google Chrome Visited URL https www facebook com setting On which Computer OBSERVEIT PM CJ From which Client OIT MICKY 10 1 100 100 When Sunday 7 20 2014 12 16 PM Alert ID 10000004 O amp 12 15 PM Browsing SETTIN
332. rver Group list and display it in the Admin Dashboard 1 Inthe Server Groups page type the name of the new server group and click Add 22 The following figure shows how to add a new group Finance Servers to the list Server Diary User Diary DBA Activity Activity Alerts Configuration Search Server Groups Admin Dashboard Console Users Server Groups identification Add Group Finance Servers Server Group Name Servers Server Groups Show in Dashboard All Servers 3 Server Policies Security Alerts D Active Servers 3 K Windows Servers 2 g Unix Servers 1 System Events identity Theft Detection kS Windows WorkStations 0 K Windows Gateway 0 Windows ActiveX 0 Messages K The new server appears in the Server Groups list but without servers Copyright 2015 ObservelT All rights reserved Threat Detection 2 3 4 5 6 Admin Dashboard Note Server groups without attached servers will not be displayed in the Admin Dashboard Server Groups Add Group Server Group Name Show in Dashboard All Servers 1 Active Servers 1 Windows Servers 1 amp Unix Servers 0 Windows WorkStations 0 Windows Gateway 0 ss amp S amp S amp Windows Activex 0 E Finance Servers 0 Add Servers Delet Note Server groups without attached servers will not be displayed on the dashboard To add servers to the new ser
333. s Unix based server policies or both Windows and Unix based server policies The following settings can be configured on individual servers or on multiple servers Windows Based Server Policies e Enabling Agent API e Showing Hiding the Agent tray icon e Restricting recording to RDP sessions e Enabling hotkeys e Enabling key logging e Optimizing screen capture data size e Setting the image format recording in color or grayscale e Setting keyboard recording frequency e Setting continuous recording e Application recording policy Unix Based Server Policies e Data recording policy e Agent logging and debugging e Memory management Windows and Unix Based Server Policies e Enabling Agent recording e Enabling Identity Theft Detection e Enabling recording notification e Setting session timeout e Offline recording policy e Identification policy e User recording policy Note The policy settings that you can configure on an individual server are identical to the policy settings that you can configure for any Server Policy Template For further details on how to configure policy settings on an individual server or on multiple servers simultaneously see Configuring Server Policy Settings 62 Copyright 2015 ObservelT All rights reserved Server Groups Server Groups In ObservelT you can use server groups to apply management and configuration features simultaneously to several servers In ObservelT terminology
334. s Threat Detection Activity Alert Rules Alert Notification Policies Admin Dashboard Console Users Manage Alert Rules identification Create New Alert Rule Servers Server Groups Status All v Severity All v ae E More Filters Security aah Notification policy All v Alert rule keyword q System Events History All v identity Theft Detection i Updated on ee During last 1 Years v Between 12 28 2014 E and 01 05 2015 Ticket Integration JPU l ao E l TZS Updated by All v SMTP Settings Reset Monitor Log Show LDAP Settings i T Sn 1 17 of 17 Archive Alert Rule Name Status Updated on Updated by Saved Sessions SAMPLE Access from outside the organization Inactive 1 4 2015 Admin Audit E SAMPLE After hours access to sensitive servers Inactive 1 4 2015 Admin Duplicate Delete System Log Description Latest Sessions Remote vendors try to log in to servers belong to sensitive groups not during regular business hours during weekends or holidays W2K8 S8 QA1 Admini W2K8 S8 QA1 Admini A Who W2K3 S8 QA0 Admini Login account domain jname is member of group RemoteVendor Contractors Quick Help 6 Did What Windows amp Unix Installation Guide Logged in ee fs On Which Computer Configuration Guide 9 ObservelT server group name is DBServers FinanceServers When Day of week is Sunday Saturday OR Specific date is 01 09 2014 13 10 2014 31 10 2014 OR Time of
335. s a subfolder to the database which contains the related metadata In this way all relevant session data is kept together Since you can define multiple file system locations for each database you can also have a number of databases each with several file system locations The following topics in this section describe how to manage the ObservelT database and file system storage including e Viewing information about the current ObserveIT SQL database e Viewing session information on the SQL Servers that are recorded in the database e Identifying if the system is using the SQL database or the file system for screen capture storage e Setting thresholds for system alerts if the database or the file system reaches its maximum allocated storage e Creating new file system locations for screen capture data e Viewing previous file system locations in order to be able to replay recorded sessions See e Viewing Database Information e Configuring Screen Capture Data Storage e Viewing Servers Database Information Viewing Database Information By default ObservelT stores all the captured data including screen images and configuration settings inside Microsoft SQL Server databases However in many deployments the file system is the preferred method for storing screen image data instead of the SQL database Even when the file system is used for storing image data a functional SQL Server database is still required for storing all the r
336. s and statuses color coded per severity The colored severity bar on the left indicates the event operational status severity level For descriptions of the Application Server statuses see Assessing Application Server Statuses and Details Not Running g W2K8 58 QA11 Unable to Save Data g WIN DBDGOS520RV W2K8 33 QA 1 2 To drill down to examine event details click the relevant Application Server 24 Copyright 2015 ObservelT All rights reserved Admin Dashboard The System Events page opens filtered to display the Application Server and the related system events that caused the error The most recent event that caused the error appears at the top of the list System Events Severity All v Server E More Filters Category All v Event Code Component Application Server v Source Login All v Remediation Status Client All v Email Sent EventID Comment Status Details All v Period During last 1 Months v Between 01 01 2015 1 12 of 12 Received Code Category Name 1 7 2015 E 11 03 AM 1301 Severity Functionality High Application Server Application Server Component Source Status Details Not Running Event Description The ObservelT Application Server is not working properly Email Sent No URL of the Application Server or Web Console http Aw2k8 s8 qa11 4884 ObservelTApplicationServer Comment Application server is unreachable Additional Info Remediation Status New v Comment 10 41 AM
337. s empty is not empty contains does not contain starts with does not start with ends with does not end with Client IP address 10 1 0 16 10 1 2 100 Defining Alert Notification Policies Alert notification policies enable ObservelIT administrators to define the email notifications that will be created when an alert is generated These policies define to whom and how often emails will be sent in the event of an alert By using configurable policies for alert notifications they can be easily edited for example by changing the email address and applied to multiple alert rules Every Alert rule is associated with a single notification policy Alert notification policies are configured in the Alert Notification Policies tab in the ObserveIT Web Console From this page the administrator can create new notification policies edit existing policies and delete policies To create a new notification policy 1 Navigate to Configuration gt Alerts gt Alert Notification Policies The Alert Notification Policies tab displays a list of currently defined notification policies Server Diary User Diary DBA Activity Activity Alerts Configuration Search Reports Threat Detection Activity Alert Rules Alert Notification Policies Admin Dashboard Console Users Alert Notification Policies Identification Create New Policy Servers Notification Policy Name Server Groups On every alert Hourly digest Edit Delete Server Policies Sec
338. s is also permitted to users without recorded sessions Latest Sessions Domain User D16W3S5 2 Admini User Add Quick Help Domain User Installation Guide User Guide Configuration Guide Check All Clear All 2 To assign the console user permissions to view recordings made on specific servers or groups of servers 1 If you do not want the Console User to be able to monitor all the installed servers in the Servers section you must remove the All Servers group from the permissions list of the user Click the check box next to the All Servers group and click Remove Note If you do not add at least one server to this list the Console User will not be able to view any servers and therefore will be rendered useless You will not be able to save the settings if no server or server group exists in the server list 2 After you have removed the All Servers group from the list of permissions you must add at least one valid server to the list of permissions for that Console User Click the button select a server and click Add The server is added to the list Copyright 2015 ObservelT All rights reserved 35 ObservelT Configuration Guide 3 To grant permissions for the Console User to view entire groups of machines click the Server Groups drop down list select the Server Group and click Add The Server Group is added to the list To remove a server from the list in the permissions screen
339. s is the same session this application name also matches the condition NO An alert is not generated 3 Within the same session the user runs the Regedit application because this is not the first time in the session that the user runs this application Copyright 2015 ObservelT All rights reserved Activity Alerts This condition 1 User logs in to a specifies that every session and opens the first time in a session sensitive hosts txt a window title file in Notepad The contains the word window title shows hosts hosts txt permissions or Notepad security an alert o y 2 Within the same YES session the user An alert is generated because opens a document even though this is the same entitled Viewing session the window title permissions docx contains a word that matches should be generated Microsoft Word the condition Ran application This condition User tries to access Permission levelis specifies that an alert the hosts txt file not Admin should be generated without root admin if the logged in user permissions does not have Administrator permissions When you have finished defining the conditions for this scenario the Did What details in the Activity Alert Rules tab should look like this Did What E Windows Application name is Regedit SSMS SOL Management Studio Setup Notepad AND Window title hosts permission security AND Permission le
340. s possible with any group scope domain local global or universal it is recommended that you follow Microsoft s best practices on group object usage For further details refer to Active Directory Best Practices 218 Copyright 2015 ObservelT All rights reserved LDAP Settings Configuration e If the server on which the ObservelT Application server is installed is not a member of any Active Directory domain you can manually add LDAP Targets and these will be configured as Manual type LDAP Targets This will enable the usage of Active Directory users however you cannot use groups from that domain To allow ObservelT to use Windows Authentication against an Active Directory target you must identify the Domain User Name and Password to be used to access that domain For further details see Console Users and Configuring Active Directory Groups Note The ObserveIT Web Console Server must be able to communicate through LDAP traffic with at least one of the domain controllers in the target Active Directory domain LDAP traffic uses TCP port 389 in most cases If a Firewall exists between the ObserveIT Web Console Server and that domain controller you will need to configure the Firewall to properly allow LDAP traffic to and from that domain controller Consult with your Firewall vendor or manual to learn how to properly configure your Firewall Admin Dashboard Console Users Identification Servers Server Groups Server Policies
341. s reserved 83 ObservelT Configuration Guide Recording in Color or Grayscale Note This feature is supported only on Windows based server policies By default all ObservelT session images are recorded in grayscale However it is possible to change the recording settings to full color The recording color affects the ObserveIT Agent performance depending on the format of the collected screenshots the database storage required and network utilization Session image colors can be compressed on the ObservelT Client side or Server side On the Client side the Agent captures the images in color and compresses them to grayscale images On the Server side the Agent sends the captured colored images to the Application Server which compresses them either to grayscale or color Note the following e By default the images are compressed using Grayscale Server Compression However if more than two monitors are connected to your computer or if the monitor size is larger than 1680x1050 pixels the image format switches to Grayscale Client Conversion e When the Agent is in offline mode even if you are recording the images in color all the images will be saved as grayscale regardless of the server policy configuration In the Session Player however the images might be colored and grayscale that is colored when the Agent is online and grayscale when the Agent is offline e The default setting Grayscale Server Compression requires
342. s that span for a long period of time during non working hours You can also view cached reports that have been run previously To run a report 1 Inthe Reports tab click the Run link next to the report you want to run Reports Latest Activities Installed Software Servers Software Install Uninstall Sticky Notes Latest Sessions MF W6 SQ8 1 Admini Quick Help installation Guide Usage Guide Configuration Guide Reports Report List Scheduled Reports for Console User Create New Custom Report Name Description Modified Custom Reports All Remote Desktop Lists all Remote Desktop 01 11 09 Sessions in the past month Sessions in the past month SAMPLE Admin related Administrative related tasks 28 10 09 tasks Past Week performed on monitored servers SAMPLE App usage All apps used on monitored 25 10 09 grouped by ServerName servers Grouped by Server Past Week Name SAMPLE Apps usage per Report all apps used on the 25 10 09 Server grouped by App Name Past Week monitored servers Grouped by App Name Copyright 2015 ObservelT All rights reserved admin admin admin a Cached Schedule Copy Edit Delete Run Cached Schedule Copy Edit Delete Run Cached Schedule Copy Edit Delete Run Cached Schedule Copy Edit Delete 27 ObservelT Configuration Guide 2 Depending on the report type and group by options used you can click the Show All Details link to disp
343. sages can be re enabled To disable a message e Inthe Configuration gt Messages page click the Disable link next to the message you want to disable Server Diary Admin Dashboard Console Users Identification Servers Server Groups Server Policies Security Alerts System Events Identity Theft Detection Messages Ticket Integration License SMTP Settings Monitor Log LDAP Settings User Diary DBA Activity Activity Alerts Configuration Search Messages Views Create a new message Create Manage Messages Sener CJC cear Status All v 1 10f1 Message Name Modified Date Posted By Active Messages Warning message 1 12 2015 6 57 16 PM Admin Active Messages 1 Disabled Messages 0 Expired Messages 0 To re enable the message click the Enable link next to the message 200 Reports Views Threat Detection Edit Disable Delete Click to disable this message Copyright 2015 ObservelT All rights reserved Managing Messages Acknowledging and Replying to Messages Acknowledging Messages Users must acknowledge each message they receive This information can be used to track user sessions and their interaction with the desktop Furthermore having proof that a user was indeed presented with the message and that they acknowledged it can be useful for auditing and security purposes Without acknowledging the message s the messages window cannot be moved
344. se size may not shrink in actual physical size To reduce the overall size of the database use proper SQL server maintenance procedures 234 Copyright 2015 ObservelT All rights reserved Archiving Information Archiving Information Archiving of data and keeping the database to a manageable size is a concern for all organizations Storing obsolete and irrelevant data online reduces the overall performance of a database server To minimize performance problems that are caused by maintaining excess data you can implement an archiving strategy By archiving data you can decrease disk space usage and reduce the maintenance required for example in defragmentation backup and restore procedures From a performance point of view if a production database or file system storage has obsolete data that is never or rarely used query execution can be time consuming because queries also scan obsolete data To improve query performance you should move obsolete data from the production database file system to another archive database file system ObservelT s database archiving feature provides enhanced database performance by moving obsolete data from the main production database to a secondary archive database Archiving of data can also be performed on file systems that are used for storing screen capture data Archiving jobs can be launched manually or can be scheduled for automatic periodic archive rotation Note The archive data can be split into
345. ser Diary Reports DBA Activity Activity Alerts Configuration Activity Alert Activity Alerts Period Last 6 months 7 Between 111112014 Fs and 2 28 2014 EE Severity High v Alert rule All X More Filters Show De amp 120 ahd 12 8485 Next gt Last gt gt Time Alert Login User Server Video 2 9 2014 2 19 PM After hours Login to DB server administrator lan OlTHostedDem fa 48 7 56AM W Opened Hosts file administrator lan OlTHostedDem fa 5 16 AM After hours Login to DB server administrator lan OlTHostedDem fa 2 6 2014 A amp 8 31 PM After hours Login to DB server administrator lan OlTHostedDem fa 8 24 PM Opened Hosts file administrator lan OlTHostedDem fa 1 45 PM After hours Login to DB server administrator ami OlTHostedDem fa 1 17 PM Opened Regedit administrator lan OlTHostedDem fa 12 27 PM WY After hours Login to DB server administrator dpetri OlTHostedDem fa 116 Copyright 2015 ObservelT All rights reserved Activity Alerts Alert Viewing Modes You can view alerts in different modes To switch between modes click the required icon ae In this view you can see at a glance all the alerts that are already List view l l E T configured according to the specified filter criteria E In this view you can see for each alert exactly Who Did What On Details view l Which Computer When and From Which client The Gal
346. ser types on the keyboard The frequency of the character typing will determine how often a screen capture is performed For example if a user types just one or two words in the command prompt window in a leisurely manner it will probably trigger one or two screenshots However if the same user types a 500 character email or Word document many screenshots will be captured but not every single typed character will invoke a screen capture It is possible to change the settings of the keyboard stroke recording frequency Important Changing the keyboard stroke recording frequency will result in many more captured images and metadata resulting in a lot more bandwidth usage plus extra storage usage on the SQL Server database This setting is not recommended unless it is absolutely essential You can configure the keyboard stroke recording frequency manually per server Agent from the Configuration gt Servers page or by using Server Group Policies to configure many servers Agents simultaneously To configure the keyboard stroke recording frequency using Server Policies 1 Inthe Configuration gt Server Policies page click Create or select a server policy template default Windows based policy 2 Inthe System Policy section of the Server Policy Template page from the Set keyboard frequency drop down list select the required keyboard stroke frequency Server Policy Template Back to Server Policy Templates Linked Servers C
347. servelT User This topic describes how to configure the local ObservelT targets against which the users will authenticate It also describes how to delete local ObservelIT users To configure Local ObservelT Identification users 1 Navigate to the Configuration gt Identification page 2 Inthe Local ObservelIT Identification Users section click Create Local ObservellT Identification Users These are the Local ObservelT Targets against which the users will authenticate User Name Update Date Delete The Add Operator window opens 3 Type the user name the required password and confirm the password You MUST enter a password Note The user name and password are created locally inside the ObservelT database and are not matched against any external source When a Forced Identification user logs on to any ObservelT monitored server they must enter this user name and password for secondary authentication in the ObservelT Windows log on screen Unix prompts For details see Identification Services a ObservelT Configuration Identification Google Chrome L 10 3 0 59 4884 ObservelT IdentificationUser aspx action toidentify amp lang en Add Operator to ObservelT Authentication User Name davidg Password essssssse Confirm Password eeesseees Close Add 4 Click Add 5 Repeat steps 2 and 3 for each user that you want to add Copyright 201
348. shades 44 indicate within the past 2 3 days and the lightest shades indicate earlier in the week You can click the icons the colored statuses and the error numbers to drill down to further details App Servers displays a list of Application Servers and their statuses You can click the Application Servers to drill down to further details Deployed Agent Versions at the top of the Admin Dashboard displays the current Agent version the number of Agents running the latest software version and earlier software versions and the number of Agents recently installed uninstalled in the past 7 days You can click the Latest Earlier version links and the Recently installed uninstalled links and icons to drill down to further details System Services at the top of the Admin Dashboard displays information about the Notification Service Rule Engine Service and Health Monitoring Service statuses whether OK marked by or with errors marked by Oo You can click each service icon to drill down to further details The info bar at the top of the Admin Dashboard provides the following information and functionality Recent Statistics based on on the left of the info bar shows the time period past 7 days of the various statistics displayed in the Admin Dashboard Updated in the middle of the info bar shows the last date and time the data on this page was updated refreshed Manual Auto refresh on the right of the inf
349. sion Replay Privacy Copyright 2015 ObservelT All rights reserved Auditing Access to the Web Console Auditing Saved Sessions In the Audit Saved Sessions tab you can view details about recorded ObservelT sessions that were saved for viewing offline These sessions were saved in the Configuration gt Saved Sessions tab of the Web Console Saved sessions include details of the number of slides in the recordings the session s date and additional information After a recorded session is saved it becomes available for downloading For further details see Saving Sessions A Saved Session audit entry is created whenever the user creates a saved session To view details about sessions that were saved 1 2 Navigate to the Configuration gt Audit gt Saved Sessions tab Threat Detection Server Diary User Diary DBA Activity Activity Alerts i enitiicicteimg Search Reports Logins Sessions Saved Sessions Core Configuration Admin Dashboard Console Users Audit Saved Sessions Operator Servers P a Server Groups Up To March 2014 v Server Policies Identification Action Type All hi Security Alerts Results 1 1 of 1 1 System Events Requested Domain Total Action Identity Theft Detection Session Name ides Action Time Server eas User Name Slides Type Video My Session Full 2 6 2014 10 59 56 PM WIN2003 OITSRV ObservelT Au Admin 22 Download a Messages Ticket Integration License SMT
350. sive Tampered With Installation files were tampered with missing files changed files Offline data files were tampered with Interception configuration Agent Registry keys were tampered with 18 Copyright 2015 ObservelT All rights reserved Unreachable Unrecorded Sessions Interception Off Data Loss Communication Error Unknown Reason Admin Dashboard There are unrecorded Agent sessions This occurs when a user ends the Agent process or disables interception in Unix There are currently x missing sessions out of y sessions The Agent interception is off The Unix Agent internal Watchdog obitd service failed to start the ObservelT logger after a problem was detected and recording was disabled When interception is marked as off missing sessions are not shown Recorded data was lost by the Agent while the Agent was running e Online data loss Data is not transmitted to the server Offline data loss Data files were tampered with while the Agent was offline and the threshold limit in MB was exceeded or there was a lack of disk space the status is OK the status does not change to error The machine is pingable but does not respond The machine is disconnected from the network for example when it is in hibernate mode or has been shut down The Agent machine is not pingable It is not responsive and does not communicate with the Application Server However the syste
351. small change in the report but do not want to go through all the steps of creating it from scratch or delete it Latest Activities Installed Software Servers Software Install Uninstall Sticky Notes Latest Sessions W2K8 S8 D02 Admini Quick Help Installation Guide User Guide Configuration Guide Running Reports Reports Report List Reports Scheduled Reports for Console User Lco Create New Custom Report Name Description Modified Custom Reports All Remote Desktop Lists all Remote Desktop 01 11 09 Sessions in the past month Sessions in the past month SAMPLE Admin related Administrative related tasks 28 10 09 tasks Past Week performed on monitored servers SAMPLE App usage All apps used on monitored 25 10 09 grouped by Server Name servers Grouped by Server Past Week Name SAMPLE Apps usage per Repor all apps used on the 25 10 09 monitored servers Grouped by Name Past Week App Name admin admin admin ul Cached Schedule Copy Edit Delete Run Cached Schedule Copy Edit Delete Run Cached Schedule Copy Edit Delete Run Cached Schedule Copy Edit Delete When you run a report the results are displayed in a separate webpage Note Running a report might generate additional CPU and resource usage on the SQL server holding the ObservelT database To prevent this overhead while the server is working try to run reports that will result in massive queries such as in report
352. software By default installation security is disabled By enabling installation security only users with knowledge of the installation security password can proceed with the Agent installation or uninstallation The ObserveIT Agent installation or uninstallation UI will prompt the user to enter the installation security password To enable installation security 1 Navigate to Configuration gt Security 2 Inthe Security tab if required select the Enable Session Data Integrity check box Important By default the Enable Session Data Integrity check box is disabled When this check box is enabled a security check is run on all sessions in the database If the security check finds any sessions that may have been tampered with and could therefore be corrupted a SS warning icon will appear next to the relevant sessions in the Server Diary or User Diary Copyright 2015 ObservelT All rights reserved 109 ObservelT Configuration Guide 3 Under Installation Security click the Off link Server Diary User Diary DBA Activity Activity Alerts Configuration Reports Threat Detection Security Session Privacy Admin Dashboard Console Users Application Servers identification Data Integrity Servers When Session Data Integrity is enabled a SS warning icon will appear next to the Slides number in the Server User Diary Server Groups indicating the session data was tampered with Server Policies U Enable Session Data I
353. st 2 From the Server properties page Copyright 2015 ObservelT All rights reserved 69 ObservelT Configuration Guide See the following topics e Linking a Server to a Server Policy Template from the Server Policy Templates List e Linking a Server to a Server Policy Template from the Server Properties Page Linking a Server to a Server Policy Template from the Server Policy Templates List To link Servers to a Server Policy 1 Navigate to the Configuration gt Server Policies 2 Inthe Server Policy Templates list click the Servers link next to the relevant Server Policy to which you want to link the servers Threat Detection Server Diary User Diary DBA Activity Activity Alerts Configuration Search Reports Server Policies Admin Dashboard Console Users Server Policy Templates aE Windows based computer policies v Servers Server Groups is Name Install Parameter View Server Policies Default Windows based Policy BS988000 9605 8500 3900 aeaaceaaesae Servers 1 Copy ans Default Metadata Only Policy 299ee000 2000 2000 9000 eedRee000001 werk 0 Copy oe 4 Default Unix based Policy e998G000 9000 2000 a000 eesaeesaeae2 Servers 0 Copy Soc Eas Default Recording Disabled Policy 20000006 9000 8000 d900 90900000003 Servers 0 Copy 3 Inthe Policy Servers page click the Add Servers button Server Diary User Diary DBA
354. system locations in which to store archived screen capture data You can define multiple archive file system locations for the currently active archive database Before the current file system archive file reaches its maximum allocated storage it is recommended that you create a new file system location in which to store the archived screen capture data Once committed the active local or network path to the archive location will change to the new path and all session screen captures will immediately be archived there The old path will be displayed in the Historical Data Storage Locations section in the Configuration gt Archive gt Storage Management tab View previous data storage archive locations In the Historical Data Storage Locations section you can see detailed information about local network paths which were previously used by the system for archiving screen capture data Note When using the file system the archived screen captures are stored under the current archive database with the related metadata under the currently active archive path For example if the archive path is ObserveIT_Archive MAR 17 and the currently active archive database is ObservelIT_Archive_3 then the screen capture data will be archived under ObservelT_Archive MAR 17 ObserveIT_Archive_3 This enables administrators to easily correlate the archive file system data with the relevant archive database in this example ObservelT_Archive_3
355. t Messages page navigate to the Views column and note the number of times that the message was displayed Copyright 2015 ObservelT All rights reserved 197 ObservelT Configuration Guide 2 Click the message you want to view Create a new message Messages Manage Messages Sener Leo Status AIl g Results 1 2 of 2 1 Message Name Modified Date Posted By Views Active Messages Who has approved access t 8 1 2010 5 37 13 PM Admin 2 Edit Disable Delete j 8 1 2010 5 22 46 PM Admin 6 Edit Disable Delete Active Mess 4 questions please call Daniel at 972 Disabled Messages 0 The Views tab opens displaying all the instances of the selected message including the server name user name date and time where the message was displayed and when the user acknowledged it It also displays the user input or feedback if any was provided Configuration Messages Messages Diary _ Message To Display Server Do not stop the backup job K Message To Display Name Do not stop the backup job Body Job will take approx 7 hours Do not stop the job For questions please call Daniel at 972 Results 1 6 of 6 1 Name Body Reply Login Host Displayed At Acknowledge Do not sto Job will t Ok just checking the Administrator WIN2003 8 1 2010 05 49 46 PM security log SRV1 5 43 23 PM Do not sto Job will t no reply was given Administrator WIN2003 8 1 2010 05 42 32 PM SRV1 5 38 08 PM Do n
356. t console or the ObserveIT Application Server see Enabling SSL on the Web Console and Configuring an ObserveIT Windows Agent to Use SSL in the Installation Guide you CANNOT use the same SSL certificate for the encryption of images The certificate MUST be configured for at least Encrypting File System purposes Copyright 2015 ObservelT All rights reserved Implementing Security ObseryelT Certificate Properties El Ed General Cross Certificates OCSP Extended validation Friendly name Description Certificate purposes Enable all purposes For this certificate Disable all purposes for this certificate Enable only the following purposes Note You may only edit certificate purposes that are allowed by the certification path IP security end system C IF security tunnel termination C IF security user Encrypting File System C Windows Hardware Driver verification C Windows System Component Verification OEM Windows System Component Verification 4dd Purpose Learn more about certificate properties Enabling Installation Security Installing ObserveIT Agents can be performed by any user with local administrative permissions on a computer and with sufficient knowledge about the name or IP address of the ObserveIT Application Server Some customers may want to enable an additional layer of security that will prevent unauthorized installations or uninstallations of the ObserveIT Agent
357. t ID From the Activity Alerts Details view click an Alert ID link to open the Search page filtered to display a session according to a particular alert ID in order to view additional information about the session and the context of the activity that caused the alert with that ID Copyright 2015 ObservelT All rights reserved 117 ObservelT Configuration Guide Filtering Alerts In the Activity Alerts page you can filter the alerts displayed in the Alerts list per specified criteria To filter the alerts displayed in the Alerts list 1 Inthe Period field specify the time period Last or a date range for your search Between Period Last 1 Months v Between 12 25 2014 and 01 02 2015 Fl Severity All v Alert rule All v qm Filters Server All v Login All v Server group All v User secondary All x Client All v Flagged Y All 7 Alert ID Reset Show 2 From the Severity drop down list select the alert severity level that you want to view High Medium Low or select All to view all 3 From the Alert rule drop down list select the alert rule that you want to view or select All to view all 4 Expand the More Filters section by clicking to filter the alerts displayed according to additional criteria as described in the table below 5 Inthe Alert ID text box type the ID of the particular alert that you want to view Note that search is enabled only according to the exact alert ID 6 When
358. t all apps used on the Server grouped by App monitored servers Grouped by Name Past Week App Name 01 11 09 28 10 09 25 10 09 25 10 09 A message dialog box opens prompting you to confirm 2 Click OK to proceed The report is deleted Copyright 2015 ObservelT All rights reserved admin admin admin admin Run Cached Schedule Copy Edit te Run Cached Schedule Copy Edit Delete Run Cached Schedule Copy Edit Delete Run Cached Schedule Copy Edit Delete 277
359. t from the list specify the group name in the Group Name field and click Add Note The Domain Domain Name drop down list displays all the domains in the Active Directory forest in which the ObservelT Application Server is a member You can select to exclude any user with the specified login name from receiving the message regardless of the user s domain To remove users or groups from the Exclude list select them and click Remove 8 To display the ticketing policy message to a limited number of users select Send message only to the following users and specify the required users or user groups that you want to include as follows a From the Include drop down list select User or Group b If you selected User enter the Domain or select it from the list specify the user s Login name and click Add c Ifyou selected Group enter the Domain Name or select it from the list specify the group name in the Group Name field and click Add Note The Domain drop down list displays all the domains in all the forests in the network You can select to enable any user with the specified login name to receive the ticketing message regardless of the user s domain To remove users or groups from the Include list select them and click Remove 9 When you have finished configuring your new ticketing policy click Save The newly created ticketing policy is displayed in the list of Active Tickets in the Ticketing Policies tab To
360. t have enough space on the disks that store the folder in which you want to store all the recorded visual images When using a single file system if the disk is full the system stops recording and you will need to remove data from the disk in order to continue recording To extend and manage your file system storage without disrupting recording ObservelT enables you to configure multiple file systems This means that when file system disks become full you can define new file system locations to hold the ObservelT screen capture data You can define multiple file system locations for each database Note that you will still be able to access the old file system locations in order to replay their recorded sessions By configuring a threshold for a system event to occur just before the file system reaches its maximum allocated storage you can be alerted to configure additional storage before you experience screen capture data loss The previous file system location will still be fully available for playback even while new screen capture data will be written to the new location 226 Copyright 2015 ObservelT All rights reserved Managing ObservelT Storage Note ObservelT automatically manages the directory where you specify that screenshot data should be stored including an auto generated subdirectory tree per date and per session The folder structure is automatically created so that the file system location with the screen captures appears a
361. talled or Unregistered 2 From the Server Name drop down list select the name of the server you want to view 3 From the Status drop down list select the status of the servers that you want to view or select All to view all 4 Expand the More Filters section by clicking to filter the servers displayed according to additional criteria as described in the table below 5 When you have finished defining your search criteria click Show to update the server list according to the specified details To clear the filter fields click Reset Copyright 2015 ObservelT All rights reserved 57 ObservelT Configuration Guide More Filters Server Policy To search for servers by policy select an option from the list or select All to view all servers Options include Manual Default Metadata Only Policy Default Recording Disabled Policy Default Unix based Policy Default Windows based Policy OS Type To search for servers by operating system type select an option from the list Windows or Unix or select All to view all servers Version To search for servers by ObservelIT version number or by the Installed version or select All to view all server versions Activities To search for servers on which particular activities occurred within the past 7 days select the check box es of one or more options from the list e Data Loss to search for servers which incurred data loss within the past 7 days Tampered With to search for servers
362. tcons utility Session data was tampered with while the Agent was in offline mode Files may have been renamed or contents changed by a user who worked offline to hide his activities Offline files are not sent to the Application Server When the Agent is online again the Agent Service reports the list of files that were tampered with The ObservelT Agent Service is down perhaps due to a network malfunction or disconnection between the Agent and the Application Server or other unknown reasons To understand the reason open the ICMP port and restart the Agent Service The Agent process was killed and automatically restarted by Watchdog The ObservelT Agent and service are activated The Agent machine is disconnected from the network Check the ICMP port if it is closed reopen it The ObservelT Agent Service has reported that it was killed by a Unix command executed by the user ki11 To receive Agent health check reports it must be restarted 170 Copyright 2015 ObservelT All rights reserved 1230 1231 1232 1240 Agent is now recording active sessions 1242 1250 1251 1501 Agent data loss Offline data loss threshold exceeded Offline data loss lack of disk space Agent process was reactivated by Watchdog Agent recording is enabled via Server Policy Agent recording is disabled via Server Policy Agent interception is off K Category Data Loss D
363. te Active Directory groups are only available when using an Automatic LDAP Target Save Enable all groups from this Active Directory domain To exclude any group from being able to log on please enter the Active Directory group name i e Help Desk or Domain Admins You can add multiple groups to this list Domain Name Group Name Exclude Group OIT DEMO LOCAL ri Domain User Created Date O7 DEMO_LOCAL no citlogon a2 1 2013 4 Click Save Note If you forget to click Save then Active Directory group integration will not work As a result when a user logs on to a monitored server by using the Administrator account if they enter user1 or user2 in the ObservelT Identification screen they will not be able to gain access to the desktop because these users are members of the no oit logon group However if user3 attempts to authenticate they will be granted access to the desktop 5 If you want to configure the ObservelT Identification Service to deny access to all Active Directory groups except those in the Enable list 1 Select Disable all groups from this Active Directory domain 2 In Enable Group enter the domain name of the Active Directory group that you want to enable access to the Identification Service or select it from the list of all the domains in the Active Directory forest in which the ObserveIT Application Server is a member 3 Enter the group name that you want to enable in this exam
364. ter 3 err E Personal There are no items to show in this view All Tasks Request New Certificate Import C Enterprise 1 FJ Intermediat CI Trusted Put J Untruste ew Taskpad View C Untrusted C New Taskpad C Third Party CI Trusted Pec Refresh spc Export List View New Window From Here FF E Request a new certificate From a certification authority CA in your domain Copyright 2015 ObservelT All rights reserved 105 ObservelT Configuration Guide You should provide a friendly name for the certificate such as ObservelT Certificate jm Console Console Root Certificate 10 x File Action view Favorites Window Help 4 x e Am l BX EB eE C Console Root S E Certificates Local Computer J wIN2003 OITSRY cit demo local OITDEMO CA 01 10 2012 Personal G Trusted Ro pcm A Enterprise General Details Certification Path Intermedia Trusted Pu Untrusted Certificate Information Third Party Trusted Pe This certificate is intended for the following purpose s es SPC Proves your identity to a remote computer Ensures the identity of a remote computer Issued to WIN2003 OITSRY oit dema local Issued by OITDEMO CA alid f
365. th to the location of the archive database e Date range of included sessions First date and time to last date and time e Size of archive database Size of archive database GB and number of slides e Low DB space notification Not Configured threshold showing the maximum actual disk space allocated for the archive data A system event will be generated when the archive database size contains more than of the allowed GB To configure a threshold for a system event if the archive database reaches its maximum allocated storage 1 Navigate to Configuration gt Archive gt Storage Management tab 2 Inthe Active Archive Storage Management section navigate to Low DB space notification and click Change to open a dialog box that lets you configure a different threshold Low DB space notification settings Generate a system event when the database size contains more than 5 out of the allowed GB 3 Select the check box Generate a system event when the disk contains more than Note To clear a system event clear this check box and click OK 4 Specify the maximum disk space that you want to allocate for the archive data by entering values in the and GB fields 5 Click OK A system event is generated when the disk reaches the specified values If the event is ignored after the allocated disk space is reached you may experience data loss For further details see System Events Note A message will be sent to th
366. that were tampered with within the past 7 days Installed to search for servers that were installed within the past 7 days Uninstalled or Unregistered to search for servers that were uninstalled or unregistered within the past 7 days Agent Type To search for servers by type select an option from the list Workstation Servers Terminal Services Site Unix ActiveX or select All to view all servers OS Version To search for servers by operating system version select an option from the list CentOS 5 9 Red Enterprise Windows Server 2008 R2 or select All to view all servers Status Details To search for servers by status details select an option from the list Service Stopped Service Terminated and so on or select All to view all servers For details see Assessing Agent Statuses and Details Renaming Servers When required you can rename servers To modify a server name 1 Navigate to Configuration gt Servers 2 In the Servers list click the name of the server you want to modify 58 Copyright 2015 ObservelT All rights reserved Servers 3 Inthe server s properties page in the Server section click the Modify Name link next to the server s name Server Diary User Diary DBA Activity Activity Alerts E EL Reports Threat Detection Admin Dashboard Console Users W2K8 S8 D02 5 8 0 0 Identification Back to Servers List Currently server is linked to the Default Windows based Policy configuration po
367. the Schedule link next to the relevant report marked by a schedule icon 2 Inthe Schedule Report page of the selected report click the Remove Schedule button at the top of the page Editing Reports ObservelT s reports configuration wizard allows you to return to any step and add or remove columns and thereby gradually obtain the report that you need by a trial and error process Also at any point you can cancel the process or advance to a different step without having to go through all the steps in chronological order To edit a report 1 Inthe Reports tab click the Edit link next to the report that you want to edit Reports Reports Reports ES Report List Latest Activities Installed Software Scheduled Reports for Console User Fa Servers Software Create New Custom Report Sticky Notes Name Description Modified User Install Uninstall Custom Reports Latest Sessions All Remote Desktop Lists all Remote Desktop 01 11 09 admin Run Cached Schedule Copy Eqit Delete MF W8SQ8 1 Admini Sessions in the past month Sessions in the past month Quick Help SAMPLE Admin related Administrative relatedtasks 28 10 09 admin Run Cached Schedule Copy Edit Delete j tasks Past Week performed on monitored installation Guide servers Usage Guide SAMPLE App usage All apps used on monitored 25 10 09 admin Run Cached Schedule Copy Edit Delete Configuration Guide grouped by ServerName servers Grouped
368. thod of optimization can lead to a significant saving in storage size Screen data storage optimization is enabled by default If you want to store images as complete screenshots you can disable this option You can configure the on off status of screen capture data size optimization manually per server Agent from the Configuration gt Servers page or by using Server Group Policies to configure many servers Agents simultaneously To configure screen capture data size optimization using Server Policies 1 Inthe Configuration gt Server Policies page click Create or select a server policy template Windows based policy Copyright 2015 ObservelT All rights reserved 81 ObservelT Configuration Guide 2 Inthe System Policy section of the Server Policy Template page clear the Optimize screen capture data size check box to disable this feature By default this check box is selected to allow data storage optimization Server Policy Template Back to Server Policy Templates Linked Servers Name New Server Policy Template System Policy Enable recording d Enable Identity Theft Detection Enable API Show tray icon Restrict to RDP Enable hotkeys Enable key logging Optimize screen capture data size T Enable recording notification All activity on this machine is record Set image format Grayscale Server Compression v Set session timeout minutes 15 v Set keyboard frequency Low k Set continuous recor
369. tigating System Events and Configuring Email Notification Settings for Events 12 Copyright 2015 ObservelT All rights reserved Admin Dashboard Mini Admin Dashboard ObservelT administrators can view the mini Admin Dashboard which is located on the upper right of the Web Console from every page in the Web Console Its colored icons indicate at a glance the ObservelT Agents operational statuses thereby providing a quick preview to the system health ObservelT administrators can quickly access the full Admin Dashboard by clicking on the mini Admin Dashboard This enables the administrators to drill down quickly to further details to identify the root cause of a problem and respond accordingly di Admin Dashboard 6 2 6 1 A The colored icons on the mini Admin Dashboard indicate data from the past 7 days including when relevant the number of e Installed uninstalled Agents in the above example there are 6 Agents with errors in the above example there are 2 A Agents that have been tampered with in the past 7 days in the above example there is 1 For further information about the icons and colored severity levels see Colored Severity Levels and Icons Copyright 2015 ObservelT All rights reserved 13 ObservelT Configuration Guide Colored Severity Levels and Icons In ObservelIT system events and operational statuses are colored per severity status to enable administrators to quickly identify these and r
370. ting system and that have the ObservelIT Agent installed on them e Windows Workstations This group includes all the servers that are running the Microsoft Windows 8 operating system and that have the ObservelT Agent installed on them e Windows Gateway This group includes all the servers that are running the Microsoft Windows Server Gateway and that have the ObservelT Agent installed on them e Windows Activex This group includes all the servers that are running the Microsoft Windows ActiveX and that have the ObserveIT Agent installed on them These server groups cannot be deleted and you cannot modify their members However you can create additional server groups You can use server groups to configure permissions for Console Users You can also use server groups to manage Configuration Policies For further details see Server Policies In the Configuration gt Server Groups page you configure the ObservelT server groups as follows 1 Create new server groups 2 Modify members of the server groups 3 Assign Console Users permissions for the required server groups 4 Link Server Policies to server groups Copyright 2015 ObservelT All rights reserved 63 ObservelT Configuration Guide You can also delete server groups Creating Server Groups You can use the default built in server groups You can also create additional server groups if required To create an additional server group 1 2 3 4 Na
371. tion 4 58 PM Admin 192 168 254 105 Q3 WIN8 SQL5 Administrator 2 28 2014 1 45 20 PM pe License 4 58 PM Admin 192 168 254 105 Q3 WINS SQL5S Administrator 2 28 2014 1 45 20 PM ra SMTP Settings 4 57 PM Admin 192 168 254 105 Q3 WINS SQLS Administrator 2 28 2014 1 45 20 PM ra Monitor Log E 4 45 PM Admin 127 0 0 1 Q3 WIN8 SQL5 Administrator 2 28 2014 1 45 20 PM ba 2 258 LDAP Settings Storage Archive Saved Sessions Audit In the Sessions tab you can filter the display by searching for sessions according to Console User name Operator the remote IP address of the management workstation and date The following information is displayed for each audit entry e l Click to open the session details for an entry e Audit Hour The time that the audit entry was created that is when the user opened the Video player for the session e Operator The Console User that accessed the Web Console e Client The IP address which was used to log on to the Web Console e Server The name of the server on which the session took place e Session Login The user that logged in to the session e Session Date The date and time that the session occurred e Video a icon Click to replay the session When Session Replay Privacy Protection is enabled a lock icon appears next to the Video icon When clicking the Video icon users will be prompted to enter their Replay Privacy Protection password For further details see Enabling Ses
372. tity Theft Detection Enable API 3 Click the Change Template link Copyright 2015 ObservelT All rights reserved 1497b10c 4eeb 4512 9b82 4b4ca368770c Threat Detection Default Windows based Policy Change Template nttp 127 0 0 1 4884 0bservelTApplil ae 71 ObservelT Configuration Guide i Change Server Policy Template dialog box opens ObservelT Configuration Servers Change Server Policy je ao O 10 3 0 59 48 servell ChangeServerGroupPolicy aspx lang en amp Serve Change Server Policy Template Warning After pressing the Update button this Server will be linked to the new Server Policy Template and reconfigured Server ID 1497b10c 4eeb 4512 9b82 4b4ca368770c Server Name F W2K8 S8 D02 Server Policies Template Default Windows based Policy Cancel ty 4 From the Server Policies Template drop down list select the required Server Policy Template 5 Click Update The server is now linked to the Server Policy Linking Server Groups to Server Policies By default all the servers or Agents are automatically configured by the Default Server Policy Template However you can change this and link Servers Groups or Servers to a different Server Policy Template Note Only one Server Policy Template can be linked to a server at any given time If a different Server Policy Template is linked to the same server the previous Server Policy Template will immediately be unlin
373. tivity Alerts Printing and Exporting Alerts ObservelT allows you to export the Alerts list as displayed in HTML format to an external window for easier printing and for usage in Microsoft Excel To export the Alerts list In the Activity Alerts page click the following icons e Click i to open the Alerts list in a Report To Export browser window from which you can view or save the details as an Excel file Click to open the Alerts list in a Report To Export browser window from which you can print the report as you would any browser window From this window you can click the Excel link to open the information as an Excel file Deleting Alerts ObservelT administrators can delete alerts that are no longer relevant thus reducing the Alerts list to show only alerts that are flagged as important and high severity alerts Note Only an Admin user can delete alerts that is not any user with administrative permissions To delete an alert 1 Inthe Activity Alerts page select the alerts you want to delete and click the Delete DD icon A confirmation dialog box opens 2 Click OK to confirm the deletion The Alerts list refreshes Copyright 2015 ObservelT All rights reserved 127 ObservelT Configuration Guide Receiving Alert Notifications by Email Alert notification policies enable ObservelT administrators to define the email notifications that will be created when an alert is generated These policies define to wh
374. to perform specific tasks contact information in case of software or hardware issues and more By default messages will be displayed to any user that logs on to the monitored servers You can exclude specific users groups from receiving a message and or display a message to a limited number of users groups Note ObservelT easily integrates with your Active Directory forest enabling you to include or exclude user and groups from any domain in the forest in which the ObservelT server side components are installed and in which the ObservelT Agents are deployed if different Cross forest trusts can also be used Although using groups from Active directory domains is possible with any group scope domain local global or universal it is recommended that you follow Microsoft s best practices on group object usage For further details refer to Active Directory Best Practices Following is an example of a message that a user might receive from the administrator ObservelT Message Live Message Message From ObservelT Authentication Admin 1 Out OF 1 Job will take approx 7 hours Do not stop the job For questions please call Daniel at 972 lAcknowledge Type your reply here max 500 characters 192 Copyright 2015 ObservelT All rights reserved Managing Messages About Messages Messages can be configured to be displayed on all servers on some servers for all users logging on to these servers or
375. tomatically created so that the file system location with the screen captures appears as a subfolder to the database which contains the related metadata In this way all relevant session data is kept together Since you can define multiple file system locations for each active database you can also see a number of databases each with several file system locations Viewing Additional Screen Capture Data Storage To view additional screen capture data storage 1 2 232 In the Additional Screen Capture Data Storage section in the Screen Capture Data tab view the local network paths which were previously used by the system to store screen capture data To ensure playback availability these paths must remain accessible They appear in the list with the status Available Select the check box Show all paths including empty or unavailable to view details of file paths which are currently unavailable for screen playback or are empty that is they do not contain any screen capture data possibly due to content archiving For each file system path the following information is displayed e Path Location File system path local on server or network share e Status Available Empty or Unavailable e Size GB Size of storage for screen capture session in GB e Slides Number of slides in screen capture session e Date Added Date that the file system path was created e Added By The user that created the file system
376. topics in this section describe how to configure ticketing policies and ticketing systems settings e Configuring Ticketing Policies e Configuring Ticketing Systems 204 Copyright 2015 ObservelT All rights reserved Ticketing System Integration Configuring Ticketing Policies When an IT ticketing system is integrated with ObservelT s session recording system IT administrators or remote vendors may be required to enter a valid ticket number in order to complete the login process to corporate servers To enable this feature you must configure ticketing policies in the ObservelT system For further details see Ticketing System Integration When configuring a ticketing policy you can specify the servers and server groups on which the ticketing policy will be applied You can also specify which users will receive a ticketing policy message upon logging in to the monitored servers you can exclude specific users groups from receiving the message or display the message to a limited number of users groups Note ObservelT easily integrates with your Active Directory forest enabling you to include or exclude user and groups from any domain in the forest in which the ObservelT server side components are installed and in which the ObserveIT Agents are deployed if different Cross forest trusts can also be used Although using groups from Active directory domains is possible with any group scope domain local global or universal it is re
377. u to track details about user logins to the Web Console including whether the login was successful Each time a user logs in to the Web Console an audit entry is created To view the user logins to the Web Console 1 Navigate to the Configuration gt Audit gt Logins tab 2 Copyright 2015 ObservelT All rights reserved In the Logins tab you can view the following information for each user login Admin Dashboard Console Users Identification Servers Server Groups Server Policies Security Alerts System Events Identity Theft Detection Messages Ticket Integration License SMTP Settings Monitor Log LDAP Settings Storage Archive Saved Sessions Audit Server Diary User Diary Logins Audit Logins oes Cw TS Up To 1 7of7 Status Hour 12 50 PM 12 26 PM 12 25 PM 12 25 PM 12 23 PM 12 01 PM 11 52 AM SRK S DBA Activity Activity Alerts Eee Lie Sessions User Admin Admin admin admin Admin Admin Admin Saved Sessions Domain 12 7 2014 ObservelT Authentication ObservelT Authentication ObservelT Authentication ObservelT Authentication ObservelT Authentication ObservelT Authentication ObservelT Authentication Search Core Configuration Threat Detection Client 10 1 100 42 10 1 100 90 10 1 100 90 10 1 100 90 10 1 100 33 10 1 100 33 10 1 100 17 An indication of whether the login was successful or failed For failed logins a reason for the fail
378. uick Help and then by Sort Order Group Dates By Session End Date v Ascending v Week v Installation Guide User Guide and then by Sort Order l Group Dates By Server Name v Ascending v Date pal Preview Cancel Next Save 8 Instep 3 of the report configuration wizard you can select a start and end date for the report Configuration Guide In this step you can also define advanced filters by selecting any of the column items that you selected in Step 1 and display results that match are equal not equal to or contain not contain a specific string and so on For example you may only want user names that include specific users or Window Titles that only include specific words Reports Reports Reports Report Report Name Latest Activities Installed Software Step 3 4 Filtering selecti Servers Software Select Filterin hd Install Uninstall Jump to Step g Sticky Notes Select filters to fine tune the report You may choose date ranges as well as additional advanced filters 5 Standard Filter Latest Sessions D18W3S5 2 Admini Start Date End Date The Past Period EEEE Jan 23 2014 FS Feb 23 2014 E 1 MEH installation Guide User Guide Advanced Filter Configuration Guide J j v equals v i Weeks m AND Server l tae System Name equals Weeks AND Server Name Wake Server Policy Name 7 not equals Weeks jE Server Version Sessions Cou
379. up select the domain for the group from the Domain drop down list and type the Group Name Click the Add button 2 Repeat the previous step for each group that you want to exclude 5 Ifyou want to allow textual metadata to be recorded for the excluded users groups select the Record metadata for excluded users check box Note You can remove users groups from the list by selecting them and clicking the Remove button 6 Click Save to save the changes To configure the ObservelT Server to record video and metadata for only specific users or groups 1 Inthe User Recording Policy section of Server Policy Template page select Record only the following users User Recording Policy Record all users To exclude any user from being recorded please enter the login e g administrator or OBSERVEIT danielp and click Add You can add multiple users to this list Exclude Domain for all Group Name Group Y v A Domain User Created Date Type Record metadata for excluded users Record only the following users To activate recording video amp metadata for only specific users please enter the login e g administrator or OBSERVEIT danielp and click Add You can add multiple users to this list Include Domain for all Login i j Add User Group lomain User Created Date Type Record metadata for all users Remove 2 From the Include drop down list select User sel
380. up Policy or at the Active Directory domain or Organization Unit OU level by using Group Policy Objects GPOs For further details refer to the Microsoft Knowledge Base article Task Manager has been disabled by your administrator error message Ta Group Policy Object Editor E ol x File Action view Help oe gt om EBB Local Computer Policy 5 E Computer Configuration Remove Task Manager a Enabled Ga Software Settings ae Remove Lock Computer Not configured LI Windows aes Eii Remove Change Password Not configured C Administrative Templates ae Remove Logoff Not configured User Configuration CI Software Settings J Windows Settings Administrative Templates EQ Windows Components J Start Menu and Taskbar J Desktop J Control Panel C Shared Folders J Network CI System C User Profiles C Scripts N Ctrl Alt Del Options C Logon C Group Policy C Power Management ea Internet Communication Managem gt Extended h Standard o I Lh Sy Note It is beyond the scope of this article to discuss all the security considerations requirements best practices and implementation procedures for the system 54 Copyright 2015 ObservelT All rights reserved Servers Servers In ObservelT terminology servers are the computers on whi
381. update an existing ticket policy 1 Inthe list of Active Tickets in the Ticketing Policies tab select the ticket policy that you want to update 2 Edit the required parameters as described above and click Save The updated ticketing policy is displayed in the list of Active Tickets in the Ticketing Policies tab To disable a ticket policy e Inthe list of Active Tickets in the Ticketing Policies tab select the ticket policy that you want to disable and click the adjacent Disable link The ticket policy is moved to the list of Disabled Tickets in the Ticketing Policies tab To delete a ticket policy e Inthe list of Active Tickets in the Ticketing Policies tab select the ticket policy that you want to delete and click the adjacent Delete link After a confirmation message the ticket policy is removed from the list of Active Tickets 208 Copyright 2015 ObservelT All rights reserved Ticketing System Integration Configuring Ticketing Systems When IT administrators or remote vendors are required to enter a ticket number from a ticketing system in order to complete the login process to a corporate server the ticket number that is entered by the user must be validated against the ticketing system ObservelT ticketing systems can be built in or customized 1 Built in ticketing systems are provided by ObservelT as out of the box integrations ServiceNow is currently supported 2 Customized ticketing systems are im
382. uration gt Server Groups Server Diary User Diary DBA Activity Activity Alerts Configuration Search Reports Threat Detection Admin Dashboard a LOO Recent statistics based on Past 7 days Updated Auto refresh i ON v Console Users Identification Servers s z sf Server Groups a Latest version 1 Recently installed S li B Service Monitoring Engine te e Server Policies Security Alerts System Events identity Theft Detection Messages W2K8 S8 D02 Ticket Integration Windows Servers 4 E License Group Agents Status Error SMTP Settings Monitor Log LDAP Settings Add more rOUDS Storage din Archive The Server Groups page opens where you can select existing groups or add new groups to display in the Admin Dashboard 2 Select the relevant check box es of the server group s that you want to show in the Admin Dashboard When you add a new server group the Show in Dashboard check box is selected by default and the new server group is automatically displayed in the Admin Dashboard in the Agents portal Copyright 2015 ObservelT All rights reserved 21 ObservelT Configuration Guide 3 To remove a server group from the Admin Dashboard clear the Show in Dashboard check box next to the relevant server group in the Server Groups page Server Diary User Diary DBA Activity Activity Alerts Configuration Search Reports Server Groups Admin Dashboard Console Users Server Groups I
383. urce the component that reported the event Identity Theft Agent Notification Service Application Server Web Console Services Database Health Monitoring Rule Engine e Status Details the status details for example Service stopped Tampered with e Event Description a brief description of the event e Email sent whether an email was sent Yes No e Additional Info additional event information for example list of the files or registries that were tampered with e Remediation Status the remediation status of the event New In Process or Closed e Comment a link for adding displaying comments for the event 3 You can filter the System Events list according to specified criteria including the event severities sources by which events are triggered and categories by which events are defined For details see Filtering Events 178 Copyright 2015 ObservelT All rights reserved System Events Filtering Events You can filter the events displayed in the System Events list per specified criteria To filter the events displayed in the System Events list 1 2 3 4 From the Severity drop down list at the top of the System Events page select the severity of events that you want to view the options include High amp Medium High Medium Low By default All event severities are displayed System Events Severity All v Server W2K3 S8 QA01 v More Filters w Category All v Event Code All k Compo
384. ure is provided The date and time of the user login The Console User that accessed the Web Console The domain name if the Console User is configured with an external Active Directory or LDAP domain The IP address which was used to log on to the Web Console You can filter the display by Console User name Operator remote IP address of the management workstation and date 257 ObservelT Configuration Guide Auditing Session Replays For auditing purposes ObservelT enables you to view information about all sessions in the Web Console which were replayed by the user A Session audit entry is added whenever a user opens the Video Player for a session To view details about sessions that were replayed 1 Navigate to the Configuration gt Audit gt Sessions tab Search Threat Detection Server Diary User Diary DBA Activity Activity Alerts i enititiciiten Reports Logins Sessions Saved Sessions Core Configuration Admin Dashboard Console Users Audit Sessions identification Servers Ope m IP Server Groups Up To March v 2014 v Server Policies Results 1 6 of 6 1 Security Alerts AuditHour Operator Client Server SessionLogin Session Date Video 2 29 2012 System Events 4 22 PM Admin 192 168 254 105 Q3 WIN8 SQLS Administrator 2 28 2014 1 45 20 PM Ps Identity Theft Detection 4 22 PM Admin 192 168 254 105 Q3 WIN8 SQLS Administrator 2 28 2014 1 45 20 PM P ees 2 28 2012 Ticket Integra
385. urity Alerts System Events Copyright 2015 ObservelT All rights reserved 161 ObservelT Configuration Guide 2 3 4 5 162 Click the Create New Policy button Edit Alert Notification Policy Policy name Email Recipients Email address Add Remove Email Frequency On every alert Digest email no more than once every minutes J Daily digest email at 08 00 00 In the Edit Alert Notification Policy dialog box configure recipients for the email notification as follows 1 Enter the user s email address in the text box and click Add Address The email address will be added to the list 2 Repeat the above step for each email address you want to add Note To remove an email address from the list select it and click Remove Configure how often recipients will receive the email notification by selecting one of the following options e Email on every alert default frequency e Send digest email no more than once every X minutes e Send a daily digest email at a fixed time every day for example 08 00 AM Click Save to save your settings The new notification policy will be available for selection in the Activity Alert Rules page See Creating Alert Rules Copyright 2015 ObservelT All rights reserved Activity Alerts To edit an existing notification policy 1 Inthe Alert Notification Policies page select the policy that want to edit or click
386. uthentication a On Which Computer localhost localdomain When Monday 1 1 1753 12 00 AM From Which Client _ oit liliya observeit sys local 10 1 100 114 View Details Watch Video UrlDomainNotEndWithCom Alert ID 10060412 Who observeit sys local lili On Which Computer OIT LILI When Monday 1 1 1753 12 00 AM From Which Client local 127 0 0 1 View Details Watch Video UrlDomainNotEndWithCom Alert ID 10060430 Who observeit sys local ili On Which Computer OIT LILI When Monday 1 1 1753 12 00 AM From Which Client local 127 0 0 1 View Details Watch Video UrlDomainNotEndWithCom Alert ID 10060212 Copyright 2015 ObservelT All rights reserved 129 ObservelT Configuration Guide Viewing Alert Indications in the Web Console Activity alerts that are generated on a session are also indicated in the ObservelT Server Diary User Diary Search tab and in the session s video player The topics in this section describe how to e View alert indications in recorded sessions e View alert indications in the Session Player e Search for sessions with alerts according to alert IDs Viewing Sessions with Alerts A recorded session that has one or more alerts shows an alert indication in the Server Diary User Diary and or Search lists To view sessions with alerts and related details 1 Click the relevant tab Server Diary User Diary or Search Following is an example of the Server Diary showing medium severity a
387. ve the changes Setting changes will take effect on new user sessions after the current sessions are closed Limiting Output Data Recording During ObservelT session recording in a Unix Linux environment if there is no user input and the volume of output exceeds the defined limit the recording of output data will stop For session output only upon new user input will a new session be created and recording resume For command output recording will resume upon a new command By limiting output data recording you can control the volume of recorded output data for an ObservelIT session when there is no user activity for example when running the tail f command on the OS messages syslog file and a high volume of logging messages are written to that file In the ObserveIT Web Console on Unix and Linux based server policies you can configure a recording policy for limiting output data recording by specifying a maximum output data size that is allowed to be recorded before a session is closed when there is no user input You can configure output data recording thresholds per server Agent from the Configuration gt Servers page or by using Server Group Policies to configure many servers Agents simultaneously To configure thresholds for output data recording using Server Policies 1 Inthe Configuration gt Server Policies page click Create or select a server policy template Unix based policy 2 Inthe Data Recording Policy sect
388. vel Copyright 2015 ObservelT All rights reserved 149 ObservelT Configuration Guide How to Configure the Visited URL Group Options This topic provide details and a typical scenario to help you understand how to configure Did What conditions using the Visited URL group of options Note These options apply to Windows operating systems only For general information about defining Did What conditions see Defining the Did What Conditions The Visited UR group includes the following options for configuring Did what conditions Site URL domain or host name of the Website that was visited URL prefix The first part of the visited Website from the beginning of the URL until the end of the matched text Any part of URL Any part of the visited Website URL that matches the text Example Scenarios When should I use this option Use this option if you want to be alerted when the user visits a specific Website regardless of which pages were opened or how many pages were viewed Use this option if you want to know which specific pages s the user visited in a Website Use this option if you want to be alerted whenever the user accesses a new page or searches for a specific page or application in a Website Example Condition Visited URL Site contains facebook twitter would generate an alert on the URL www facebook com lo gin Visited URL URL prefix contains AdminUsersView
389. vents Identity Theft Detection Default Recording Disabled Policy B0ES98S9 0598 9005 8059 Saees98G0882 Servers 0 See the following topics e Creating Server Policies e Modifying Server Policies e Deleting Server Policies e Linking Servers to Server Policies e Linking Server Groups to Server Policies Creating Server Policies To create an additional Server Policy 1 Navigate to Configuration gt Server Policies Copyright 2015 ObservelT All rights reserved 67 ObservelT Configuration Guide The Server Policy Templates page opens Server Diary User Diary DBA Activity Activity Alerts Configuration Search Threat Detection Server Policies Admin Dashboard Console Users Server Policy Templates Identification Windows based computer policies v Servers 1 4 dra Server Groups Name Install Parameter View Server Policies Default Windows based Policy 90039039 0598 9004 8033 saeesgeeaees Servers 1 Security Alerts Default Metadata Only Policy BGSS9ESS 0900 9803 2000 see008CR001 Servers 0 4 Default Unix based Policy 86039000 0900 3000 8000 saaeaReeR0e2 Servers 0 System Events Identity Theft Detection Default Recording Disabled Policy S0859038 6500 3005 8059 s08e09880882 Servers 0 2 From the drop down list select the type of policy you want to create 3 Click Create The new Server Policy is created immediately Note You can also copy an existi
390. ver Policy Template page from the Set session timeout minutes drop down list select the required period of user inactivity after which the ObservelT Agent will stop monitoring The default is 15 minutes Server Policy Template Back to Server Policy Templates Linked Servers Cancel Save Name Default Windows based Policy System Policy Enable recording Y Enable Identity Theft Detection Enable API Show tray icon 4 Restrict to RDP Enable hotkeys Enable key logging Optimize screen capture data size 7 Enable recording notification All activity on this machine is record Set image format Grayscale Server Compression v Set session timeout minutes 15 v Set keyboard frequency Lo Y Set continuous recording seconds 2 OFF v 3 Click Save to save the changes Setting changes will take effect on new user sessions after the current sessions are closed Copyright 2015 ObservelT All rights reserved 87 ObservelT Configuration Guide Setting Keyboard Recording Frequency Note This feature is supported only on Windows based server policies The ObservelT key logger enables the tracking and recording of all user activity on monitored servers including every key press and mouse click Any keyboard activity is a trigger for the ObserveIT Agent to perform a screen and metadata capture For further details see ObserveIT Key Logging in the User Guide ObservelT monitors the rate at which the u
391. ver Policy Templates Windows based computer policies _ Servers Server Groups 1 Gore Name Install Parameter View Server Policies Default Windows based Policy BS988008 9605 8500 9000 aeaaceaaesae Servers 1 Copy serer Default Metadata Only Policy 89980006 3900 0000 9900 ee0000000001 i 0 Copy dines 4 Default Unix based Policy 29908000 9809 2590 9900 ees9eegaega2 Servers 0 Copy n n Default Recording Disabled Policy 5980000 9803 2990 9908 Begacega0593 Servers 0 Copy 3 Inthe Policy Servers page click the Add Servers from Group button Server Diary User Diary DBA Activity Activity Alerts Configuration Search Reports Threat Detection Server Policies Admin Dashboard Console Users Default Windows based Policy Servers Identification cree Back to Server Policy Templates Add Servers from Group Server Groups 1 10f1 im Server Name Version Date W2K8 S8 D02 5 8 0 0 1 6 2015 Remove Server Policies 4 Inthe Server Group List Apply Configuration to Group window select the check box of the required Server Group 5 Click the Apply to Group button it ObservelT Server Group List Google Chrome 5 10 3 0 59 4884 ObservelT AdminApplyGroupConfiguration aspx lang en amp i Apply Configuration to Group Note Only Windows servers can join this policy Default Windows based Policy Search amp 1 10 0f10 Server Group Name Number of Servers i
392. ver group click the Add Servers link In the Add Servers to Group dialog box select the check boxes of the servers you want to assign to the server group ObservelT Server List Google Chrome O 10 2 0 73 4884 ObservelT AdminSelectAgents aspx amp op_sys_type O amp type Add Servers to Group Finance Servers 1 10f1 Server Name Version Monitor Status Z W2K8 S8 QA02 5 8 0 0 Active Add Checked Servers Close Click Add Checked Servers A message dialog box opens prompting you to confirm Check All Clear All Selected Click OK to confirm to add the server s to the group The new server group is added with its servers Server Groups Add Group Server Group Name Show in Dashboard All Servers 1 Active Servers 1 Windows Servers 1 Unix Servers 0 Windows WorkStations 0 Windows Gateway 0 Windows Activex 0 F Finance Servers 1 Add Servers Delete ca 8 seess Note Server groups without attached servers will not be displayed on the dashboard When you add a new server group the Show in Dashboard check box is selected by default and the new server group is automatically displayed in the Admin Dashboard in the Agents portal You can select additional check boxes to show several server groups in the Admin Dashboard Copyright 2015 ObservelT All rights reserved 23 ObservelT Configuration Guide To remove a server group from the Admin Dashboard clear the Show
393. versions bA 1 Recently uninstalled Service Monitoring Engine Security Soi Agents Portal System Events Identity Theft Detection Not Running 1 Group Agents Status Error Messages WIN DBDG05520RV Ticket Integration All Servers A Q 62 E 6 Application Servers Portal License fy I g Unable to Save Data Oo Active Servers 55 5 SMTP Settings W2K8 S8 QA21 Monitor Log Tampering occurred during the past 7 days last occurrence on 1 8 2015 Unix Servers 25 LDAP Settings na 25 Storage Windows Servers Ad 24 E W2K8 S8 QA11 Archive Windows WorkStations 13 _ Saved Sessions 8 Copyright 2015 ObservelT All rights reserved Admin Dashboard The portals of the Admin Dashboard provide system health status information and easy navigation to drill down to further details Agents displays a list of Agent groups the number of Agents colored coded statuses and the number of Agents with errors When any of the Agents in a particular Agent group have been tampered with and or have experienced data loss in the past 7 days the relevant row is marked with the Tampered With icon and or Data Loss o icon and each icon has a tooltip indicating the last date of occurrence The row marked by is shaded orange as well to easily identify which Agent group has been tampered with The shades of orange and blue on these icons vary per how recently the tampering or data loss has occurred the darkest shades A 6 indicate today the medium
394. view all alert rules Last updated To search for alert rules by the time period they were last updated specify the specific time period During last or specify a date range for your search Between Last updated by To search for alert rules by the user who last updated them select a specific user from the list or select All to view all Creating Alert Rules This topic describes how to create alert rules For information about editing or duplicating existing alert rules see Editing and Duplicating Alert Rules The ObservelT installation package includes a list of sample alert rules which can be used as a basis for customizing alert rules Note Before you begin to create or edit alert rules it is recommended that you read the topic Understanding the Logic for Triggering Alerts which describes the logic for defining alert conditions To create a new rule 1 Inthe Activity Alert Rules tab click the Create New Alert Rule button Copyright 2015 ObservelT All rights reserved 139 ObservelT Configuration Guide The Create Alert Rule page opens without any defined content enabling you to define the parameters and conditions required for your alert rule Server Diary User Diary DBA Activity Activity Alerts Configuration Search Reports Threat Detection Activity Alert Rules Alert Notification Policies Admin Dashboard Console Users Create Alert Rule Identification Servers Alert Rule Details Serve
395. vigate to Configuration gt Server Groups In the Add Group field type the relevant server group name Click the Add button The new server group is added to the list A successful confirmation message appears at the top of the page Server Diary User Diary DBA Activity Activity Alerts Configuration Search Reports Threat Detection Server Groups Admin Dashboard Console Users Server Groups Successfully added Servers Server Groups Add Group Server Policies Security Alerts Server Group Name Show in Dashboard All Servers 3 Active Servers 2 System Events Identity Theft Detection Windows Servers 2 Unix Servers 1 Messages mm Sa i i Windows WorkStations 0 Ticket Integration teg Windows Gateway 0 License SMTP Settings Windows ActiveX 0 NewGroup 0 Add Servers Monitor Log Note Server groups without attached servers will not be displayed on the dashboard LDAP Settings By default the Show in Dashboard check box is selected and the new server group is automatically displayed in the Admin Dashboard in the Agents portal To remove a server group from the Admin Dashboard clear the Show in Dashboard check box next to the relevant server group in the Server Groups page Modifying Members in Server Groups You can add and remove servers from server groups and you can modify group member properties To modify the members within a server group 1 2 64 Navigate to Co
396. w Only automatic type Auto domains can be used for Active Directory Groups Detect Domain Membership Synchronize LDAP Groups Manual LDAP Target Manual LDAP targets can be used to authenticate users for 2 purposes Console Users and Identification Services Type in the correct LDAP path by using the following example LDAP Domain Controller Name or IP DC Domain Name DC Suffix for example if your Domain Controller name is OBS DC1 and your domain name is OBSERVEIT SYS LOCAL then use the following LDAP path LDAP OBS DC1 DC OBSERVEIT SYS _DC LOCAL Note If no name resolution is possible you might need to enter the Domain Controller IP address instead LDAP Path LDAP WIN2003 DC DC OIT DEMO DC LOCAL Enter user credentials to verify the LDAP path User Name administrator Password Add amp Verify LDAP Targets List LDAP Path Domain Name UserName Alias Type Created Date LDAP MWIN2003 DC DC OIT DEMO DC LOCAL OIT DEMO LOCAL administrator Manual 4 4 2014 Delete After the LDAP connection is properly established you can start working with Active Directory based Console Users 222 Copyright 2015 ObservelT All rights reserved LDAP Settings Configuration Deleting LDAP Targets LDAP targets can be deleted if they are no longer needed To delete an LDAP target 1 Inthe LDAP Targets List section of the Configuration gt LDAP Settings page click the Delete link 2
397. w popup details about the statuses of the Agents in this group For example Status All Servers DRK Status EJ _ ir a ra EE Unreachable Disable ninstalle When any of the Agents in the group have been tampered with or incurred data loss in the past 7 days place the mouse over the Tampered With amp icon or Data Loss icon to view the date of the last occurrence For example Active Servers 55 E i 5 Tampering occurred during the past 7 days last occurrence on 1 6 2015 Click the Error number to display the Servers list where you can view expanded details of the Agent group member with errors Copyright 2015 ObservelT All rights reserved 5 6 7 Admin Dashboard The Status Details field displays Tampered With The colored severity bars indicate the event severity level for example Red High Server Name Server Policy Version Status Installation Last Activity w2ks 2 4 Default Windows based Po 5 8 0 0 Error 12 4 2014 12 4 2014 Unregister System Events Status Details Tampered With OS Type Windows OS Version Windows Server 2008 R2 Click the Error link or the System Events link in the Servers list to view the event in the System Events list where you can view expanded details including Additional Info E J 10 35 AM 1210 Tampering Agent installation files were tampered with W12 S12 D02 Sna hiia Agentinstallation files were tampered with Component Agent Source Agent Event Descripti
398. with a secondary ObservelT log on prompt before they can access a Windows server desktop or a published application On Linux Unix Agents generic users with shared user accounts such as root or sysadmin will be prompted to enter their secondary credentials before they can open an interactive user session on an ObservelT monitored Linux Unix computer These users are also known as Forced Identification users The exact names of Forced Identification users is decided by the client based on the client configuration and particular needs The names should include user accounts that are widely known to enable more than one person to use them for logging on to the monitored systems ObservelT s Identification Services can integrate with Active Directory After completing the Windows Unix logon process users receive a secondary ObservelT logon prompt in which they must enter their own personal user name and password before continuing see Forced Identification User Login These user credentials are then checked against an Active Directory source When no central Active Directory is available against which ObservelT Identification services can authenticate you can define local ObservelT targets for user authentication In this case after users enter their personal user name and password during ObservelT Identification Services log on their credentials can be checked against a predefined list of ObservelT local users Note the following e When
399. xp T WIN2003 O1TSR QLQuery3 sql S update dbo MonitorLogConfiguration set directoky C Program Files ObservelIT Not ificationservice LogFiles La Messages 1 row s affected Latest Sessions WIN2003 01T Quick Help ST 323PN 323P Administrator MNZOOS ITSRV local 305PM 3 16PM Administrator WIN2003 O1TSRY local 29 ts 259PM 259PM Administrator WIN2003 O1TSRY local 4 k un2003 01r Skv Adhhin Signat t verifid Adihinisti ignature not verifi O AMEE start G E Microsoft sat Server _ Observer Server Diar I Untitled Notepad B oe SS o Microsoft SQL Server Management Studio Express 1 1 4 10 50 PM 14 29 observe it javascript GotoPreviousSameTitle by Ej m internet Ka R100 a 3 Click Save to save the changes Setting changes will take effect on new user sessions after the current sessions are closed Setting Session Timeout Note This feature is supported on Windows based and Unix based server policies ObservelT tracks session idle time which is the period of inactivity in the session When a session times out ObservelT will no longer wait for the user input and closes the session When a user performs an action such as clicking on a mouse key or typing on the keyboard ObservelT will create a new session This will result in two or more user sessions in the Server Diary or User Diary although from a Windows perspective there was just one long
400. xpiration period pairing requests will no longer be approved for the selected users email addresses Applying Identity Theft Settings to Server Policies To apply identity theft settings to one or more Server Configuration Policies 1 2 In the Policies section of the Settings tab select the check boxes of the server policy templates and or server policies on which you want to apply the identity theft settings Note It is recommended that you select all the server policy templates Click Save to save your settings Previewing the Email Text 1 2 3 In the Email Template section of the Settings tab you can see a preview of the email text that will be sent to the user This email text is not editable since it is automatically generated when an event occurs but if required you can add more information about the event using the text box that is provided Click Save to save the changes A message dialog box opens prompting you to confirm that you want to make these changes to the Identity Theft settings Click OK to confirm Copyright 2015 ObservelT All rights reserved 191 ObservelT Configuration Guide Managing Messages Note The creation and configuration of messages is supported only on Windows Agents ObservelT enables you to create and configure messages that will be displayed when a user logs on to one or more servers These messages include information for the user s instructions requests
401. you configure a Forced Identification user that user account cannot be used for the secondary ObservelT log on This means that if a Forced Identification user such as Administrator is created and a user logs on to a server with the PROD Administrator account they will be required to provide secondary user authentication credentials using a different account either from Active Directory or from the Local ObservelT Identification Users database e When ObservelT s Identification Services are integrated with Active Directory you can allow only users that are members of a specific Active Directory group to log on to the monitored machines In this scenario you can restrict users from gaining access to the desktop unless they are members of a predefined Active Directory group Note that using Active Directory groups is only possible if the LDAP target is an Automatic type LDAP Target e ObservelT supports only Microsoft Active Directory services Users or groups that are not members of domain local groups must be synchronized with Active Directory e Any modifications you make when configuring Identification Services can be viewed for auditing purposes in the Configuration Changes tab of the Web Console For further details see Auditing Configuration Changes See the following topics e Viewing Forced Identification Users in the Web Console e Steps for Configuring ObservelT Identification Services e Enabling Secondary Identificatio
402. you have finished defining your search criteria click Show to update the Alerts list according to the specified details To clear the filter fields click Reset 118 Copyright 2015 ObservelT All rights reserved Activity Alerts More Filters Server To search for alerts by the servers on which the alerts occurred select a specific server from the list or select All to view all alerts Server group To search for alerts by the server group which includes the servers on which the alerts occurred select a specific server group from the list or select All to view all alerts Client To search for alerts by the client computer from which the user who ran the session logged in select a specific client from the list or select All to view all alerts To search for alerts by the login name of the user who ran the session in which the alerts occurred select a specific login name from the list or select All to view all alerts User To search for alerts by the secondary identification of the user who ran the secondary session in which the alerts occurred select a specific user name from the list or select All to view all alerts Flagged To search for alerts by whether they were flagged or not flagged select Yes flagged or No not flagged or select All to view all events Viewing a List of Alerts In the Activity Alerts page you can view the names and severities of all generated alerts with the newest alerts at the top
403. ype and OS version As shown in the following figure for example the Unix server version Ubuntu 1204 has an Error status colored red on the severity bars and has been Tampered With as shown in Status Details Server Name Server Policy Version Status Installation Last Activity E 4 u1204 32 1 A Default Unix based Policy 5 8 0 110 Error 1A212014 12 2 2014 Unregister System Events Status Details Tampered With OS Type Unix O Version Ubuntu 1204 You can click the System Events link or the Status link to drill down to the system event details see Investigating System Events To drill down to examine Agents with errors e Inthe Agents portal click the Error number next to the relevant Agent group The Servers list opens filtered to display only the particular Agent group members with Error Status Server Diary User Diary DBA Activity Activity Alerts Een Ee Threat Detection Servers Admin Dashboard Console Users Servers Identification Servers Group Unix Servers w Server Name Status Error Server Groups More Filters Server Policies Reset Security Alerts 1 2 0f2 System Events Server Name Server Policy Version Status Installation Last Activity Identity Theft Detection u1204 32 1 Default Unix based Policy 5 8 0 110 Error 12 2 2014 12 2 2014 Messages deb600 64 3 Default Unix based Policy 5 8 0 108 Error 12 1 2014 12 1 2014 Ticket Integration 16 Copyrig
404. ype an email address and click Add Repeat the above step for each email address to which you want send an email notification when an event is triggered To remove an email address select the check box of the email address you want to remove and click Remove Copyright 2015 ObservelT All rights reserved System Events 5 Inthe Event Type Selection section click the relevant event types to add them to the selected list on the right This designates which events will be included in email notifications Note Since there are numerous event types it is recommended to filter the event types list on the left by typing the relevant search text in the Event Type Selection text box For example you may want to search by a specific severity level high event code 1219 or any keyword installation To remove event types from the selected list click the relevant event type They reappear in the unselected list on the left and will not be included in email notifications 6 Inthe Email Frequency section select an option to specify how often the emails should be sent e On every event the default frequency e Digest email no more than once every x minutes An email is sent every x minutes if new system events were recently generated The Event Digest email is sent only when at least one event was generated since the last digest was sent and the specified number of minutes passed since the last digest email e D
405. zation s existing SIEM system providing real time alerting and reporting capabilities Note In this version of ObservelT integration is provided with the HP ArcSight SIEM monitoring software For further details see Integrating Logs into SIEM Systems The log file from ObservelT activity alerts can be exported for integration into SIEM monitoring software Third party monitoring and management tools such as Microsoft System Center Operation Manager IBM QRadar HP ArcSight Splunk McAfee SIEM ELM can parse the ObservelT log file and create events triggers and alerts based on text strings of information that appear inside the log file Following is an example of an activity dashboard showing alerts that can be viewed and analyzed in the Splunk SIEM monitoring software Note that from this dashboard view by clicking the Video a icon you can link directly to the session s video recordings at the exact location where the alert was generated i yh Aoo emna Loreo j ope aamyfainoo PEPERIT bape Sav Important For instructions on how to integrate ObservelT log data into the HP ArcSight SIEM product by using the CEF open log management standard see Integrating ObservelT with HP ArcSight CEF 166 Copyright 2015 ObservelT All rights reserved System Events System Events System events are triggered by the ObservelT system Events might be triggered when users reach their database storage limits when a user logs in o
406. ze increases when using image security The following steps are required to enable image security 1 Obtain a digital certificate 2 Install the digital certificate 3 Enable Image Security on the Application Server Step 1 Obtaining a Digital Certificate The first step in enabling image security is to obtain a Digital Certificate for each Application Server A Digital Certificate is the digital equivalent of an ID card used with a public key encryption system Also called digital IDs digital certificates are issued by trusted third parties known as certification authorities CAs The process of obtaining a digital certificate is beyond the scope of this documentation This guide assumes that the reader holds prior knowledge of PKI and its related terminology For further details refer to the Microsoft Knowledge Base article Certificate Autoenrollment in Windows Server 2003 There are several ways you can obtain a Digital Certificate from a self signed source from an internal Certificate Authority CA or from a 3rd party commercial CA The following screen provides an example of a Digital Certificate request from a Windows Server 2003 machine to an internal Enterprise Certificate Authority Tt Console1 Console Root Certificates Local Computer Personal Certificates Oj x f File Action view Favorites Window Help 8 x a0 8 2 Be C Console Root EP Certificates Local Compu
Download Pdf Manuals
Related Search